Group: BRONZE BUTLER, REDBALDKNIGHT, Tick

From enterprise
Jump to: navigation, search
BRONZE BUTLER, REDBALDKNIGHT, Tick
Group
ID G0060
Aliases BRONZE BUTLER, REDBALDKNIGHT, Tick

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.12

Alias Descriptions

  • BRONZE BUTLER - 1
  • REDBALDKNIGHT - 1
  • Tick - 1

Techniques Used

  • Remote File Copy - BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).2
  • Custom Cryptographic Protocol - BRONZE BUTLER has used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.2
  • Data Encoding - Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.2
  • Data Compressed - BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.2
  • Binary Padding - BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.2
  • PowerShell - BRONZE BUTLER has used PowerShell for execution.2
  • Scripting - BRONZE BUTLER has used VBS, VBE, and batch scripts for execution.2
  • Pass the Ticket - BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.2
  • Account Discovery - BRONZE BUTLER has used net user /domain to identify account information.2
  • Scheduled Task - BRONZE BUTLER has used at and schtasks to register a scheduled task to execute malware during lateral movement.2
  • Masquerading - BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.2
  • Data Encrypted - BRONZE BUTLER has compressed and encrypted data into password-protected RAR archives prior to exfiltration.2
  • File and Directory Discovery - BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.2
  • File Deletion - The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.2

Software