The sub-techniques beta is now live! Read the release blog post for more info.


Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014. [1]

ID: S0268
Platforms: Windows
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Bisonal can launch cmd.exe to execute commands on the system.[1]

Enterprise T1043 Commonly Used Port

Bisonal uses 443 for C2 communications.[1]

Enterprise T1024 Custom Cryptographic Protocol

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Bisonal decodes strings in the malware using XOR and RC4.[1]

Enterprise T1107 File Deletion

Bisonal deletes its dropper and VBS scripts from the victim’s machine.[1]

Enterprise T1027 Obfuscated Files or Information

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4.[1]

Enterprise T1057 Process Discovery

Bisonal can obtain a list of running processes on the victim’s machine.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Bisonal adds itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.[1]

Enterprise T1105 Remote File Copy

Bisonal has the capability to download files to execute on the victim’s machine.[1]

Enterprise T1085 Rundll32

Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[1]

Enterprise T1064 Scripting

Bisonal's dropper creates VBS scripts on the victim’s machine.[1]

Enterprise T1071 Standard Application Layer Protocol

Bisonal uses HTTP for C2 communications.[1]

Enterprise T1032 Standard Cryptographic Protocol

Some Bisonal samples encrypt C2 communications with RC4.[1]

Enterprise T1082 System Information Discovery

Bisonal has a command to gather system information from the victim’s machine.[1]

Enterprise T1016 System Network Configuration Discovery

Bisonal can execute ipconfig on the victim’s machine.[1]