Register to stream ATT&CKcon 2.0 October 29-30


Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014. [1]

ID: S0268
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Bisonal can launch cmd.exe to execute commands on the system. [1]
Enterprise T1043 Commonly Used Port Bisonal uses 443 for C2 communications. [1]
Enterprise T1024 Custom Cryptographic Protocol Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information Bisonal decodes strings in the malware using XOR and RC4. [1]
Enterprise T1107 File Deletion Bisonal deletes its dropper and VBS scripts from the victim’s machine. [1]
Enterprise T1027 Obfuscated Files or Information Bisonal's DLL file and non-malicious decoy file are encrypted with RC4. [1]
Enterprise T1057 Process Discovery Bisonal can obtain a list of running processes on the victim’s machine. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Bisonal adds itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence. [1]
Enterprise T1105 Remote File Copy Bisonal has the capability to download files to execute on the victim’s machine. [1]
Enterprise T1085 Rundll32 Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”. [1]
Enterprise T1064 Scripting Bisonal's dropper creates VBS scripts on the victim’s machine. [1]
Enterprise T1071 Standard Application Layer Protocol Bisonal uses HTTP for C2 communications. [1]
Enterprise T1032 Standard Cryptographic Protocol Some Bisonal samples encrypt C2 communications with RC4. [1]
Enterprise T1082 System Information Discovery Bisonal has a command to gather system information from the victim’s machine. [1]
Enterprise T1016 System Network Configuration Discovery Bisonal can execute ipconfig on the victim’s machine. [1]