Software: BBSRAT

From enterprise
Jump to: navigation, search
ID S0127
Aliases BBSRAT
Type Malware
Platform Windows

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.1

Techniques Used

  • Component Object Model Hijacking - BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system's CPU architecture.1
  • DLL Side-Loading - DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable ssonsvr.exe which is vulnerable to the technique. The Citrix executable was dropped along with BBSRAT by the dropper.1
  • Process Hollowing - BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.1
  • Registry Run Keys / Start Folder - BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe
  • Standard Application Layer Protocol - BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.1