BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

ID: S0470
Platforms: Windows
Version: 1.0
Created: 10 June 2020
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BBK has the ability to use HTTP in communications with C2.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

BBK has the ability to decrypt AES encrypted payloads.[1]

Enterprise T1105 Ingress Tool Transfer

BBK has the ability to download files from C2 to the infected host.[1]

Enterprise T1106 Native API

BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.[1]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

BBK can extract a malicious Portable Executable (PE) from a photo.[1]

Enterprise T1055 Process Injection

BBK has the ability to inject shellcode into svchost.exe.[1]

Groups That Use This Software

ID Name References