Bisonal

Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014. [1]

ID: S0268
Aliases: Bisonal
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Bisonal[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceBisonal can launch cmd.exe to execute commands on the system.[1]
EnterpriseT1043Commonly Used PortBisonal uses 443 for C2 communications.[1]
EnterpriseT1024Custom Cryptographic ProtocolBisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationBisonal decodes strings in the malware using XOR and RC4.[1]
EnterpriseT1107File DeletionBisonal deletes its dropper and VBS scripts from the victim’s machine.[1]
EnterpriseT1027Obfuscated Files or InformationBisonal's DLL file and non-malicious decoy file are encrypted with RC4.[1]
EnterpriseT1057Process DiscoveryBisonal can obtain a list of running processes on the victim’s machine.[1]
EnterpriseT1060Registry Run Keys / Startup FolderBisonal adds itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.[1]
EnterpriseT1105Remote File CopyBisonal has the capability to download files to execute on the victim’s machine.[1]
EnterpriseT1085Rundll32Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”.[1]
EnterpriseT1064ScriptingBisonal's dropper creates VBS scripts on the victim’s machine.[1]
EnterpriseT1071Standard Application Layer ProtocolBisonal uses HTTP for C2 communications.[1]
EnterpriseT1032Standard Cryptographic ProtocolSome Bisonal samples encrypt C2 communications with RC4.[1]
EnterpriseT1082System Information DiscoveryBisonal has a command to gather system information from the victim’s machine.[1]
EnterpriseT1016System Network Configuration DiscoveryBisonal can execute ipconfig on the victim’s machine.[1]

References