Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014.[1]

ID: S0268
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 17 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Bisonal uses HTTP for C2 communications.[1][2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Bisonal adds itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Bisonal can launch cmd.exe to execute commands on the system.[1][2]

.005 Command and Scripting Interpreter: Visual Basic

Bisonal's dropper creates VBS scripts on the victim’s machine.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Bisonal has encoded binary data with Base64.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Bisonal decodes strings in the malware using XOR and RC4.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.[1][2]

Enterprise T1083 File and Directory Discovery

Bisonal can retrieve a file list of a specified folder.[2]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Bisonal deletes its dropper and VBS scripts from the victim’s machine.[1][2]

Enterprise T1105 Ingress Tool Transfer

Bisonal has the capability to download files to execute on the victim’s machine.[1][2]

Enterprise T1027 Obfuscated Files or Information

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4.[1]

Enterprise T1057 Process Discovery

Bisonal can obtain a list of running processes on the victim’s machine.[1][2]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[1]

Enterprise T1082 System Information Discovery

Bisonal has a command to gather system information from the victim’s machine.[1][2]

Enterprise T1016 System Network Configuration Discovery

Bisonal can execute ipconfig on the victim’s machine.[1][2]

Enterprise T1124 System Time Discovery

Bisonal can check the system time set on the infected host.[2]

Enterprise T1497 Virtualization/Sandbox Evasion

Bisonal checks if the malware was executed within a VMware environment.[2]

Groups That Use This Software

ID Name References
G0131 Tonto Team