1. Home
  2. Software
  3. Bisonal

Bisonal

Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014.[1]

ID: S0268
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 17 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Bisonal uses HTTP for C2 communications.[1][2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Bisonal adds itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Bisonal can launch cmd.exe to execute commands on the system.[1][2]
.005 Command and Scripting Interpreter: Visual Basic

Bisonal's dropper creates VBS scripts on the victim’s machine.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Bisonal has encoded binary data with Base64.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Bisonal decodes strings in the malware using XOR and RC4.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.[1][2]
Enterprise T1083 File and Directory Discovery

Bisonal can retrieve a file list of a specified folder.[2]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Bisonal deletes its dropper and VBS scripts from the victim’s machine.[1][2]
Enterprise T1105 Ingress Tool Transfer

Bisonal has the capability to download files to execute on the victim’s machine.[1][2]
Enterprise T1027 Obfuscated Files or Information

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4.[1]
Enterprise T1057 Process Discovery

Bisonal can obtain a list of running processes on the victim’s machine.[1][2]
Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[1]
Enterprise T1082 System Information Discovery

Bisonal has a command to gather system information from the victim’s machine.[1][2]
Enterprise T1016 System Network Configuration Discovery

Bisonal can execute ipconfig on the victim’s machine.[1][2]
Enterprise T1124 System Time Discovery

Bisonal can check the system time set on the infected host.[2]
Enterprise T1497 Virtualization/Sandbox Evasion

Bisonal checks if the malware was executed within a VMware environment.[2]

Groups That Use This Software

ID Name References
G0131 Tonto Team

[2][3]

References

  1. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  2. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  1. Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.