{"description": "Enterprise techniques used by Bisonal, ATT&CK software S0268 (v2.1)", "name": "Bisonal (S0268)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used HTTP for C2 communications.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has added itself to the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\CurrentVersion\\Run\\ for persistence.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Bisonal](https://attack.mitre.org/software/S0268)'s dropper creates VBS scripts on the victim\u2019s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has been modified to be used as a Windows service.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has encoded binary data with Base64 and ASCII.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has collected information from a compromised host.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has decoded strings in the malware using XOR and RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used a dynamic DNS service for C2.(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some [Bisonal](https://attack.mitre.org/software/S0268) samples encrypt C2 communications with RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": " [Bisonal](https://attack.mitre.org/software/S0268) has added the exfiltrated data to the URL over the C2 channel.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) can retrieve a file listing from the system.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) will delete its dropper and VBS scripts from the victim\u2019s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has the capability to download files to execute on the victim\u2019s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": " [Bisonal](https://attack.mitre.org/software/S0268) dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has renamed malicious code to `msacm32.dll` to hide within a legitimate library; earlier versions were disguised as `winhelp`.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has deleted Registry keys to clean up its prior activity.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used the Windows API to communicate with the Service Control Manager to execute a thread.(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used raw sockets for network communication.(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has appended random binary data to the end of itself to generate a large binary.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used the MPRESS packer and similar tools for obfuscation.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Bisonal](https://attack.mitre.org/software/S0268)'s DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "showSubtechniques": true}, {"techniqueID": "T1137.006", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has been loaded through a `.wll` extension added to the ` %APPDATA%\\microsoft\\word\\startup\\` repository.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has been delivered as malicious email attachments.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) can obtain a list of running processes on the victim\u2019s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has supported use of a proxy server.(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used the RegQueryValueExA function to retrieve proxy information in the Registry.(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\u201dvert\u201d = \u201crundll32.exe c:\\windows\\temp\\pvcu.dll , Qszdez\u201d.(Citation: Unit 42 Bisonal July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has used commands and API calls to gather system information.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) can execute ipconfig on the victim\u2019s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) can check the system time set on the infected host.(Citation: Kaspersky CactusPete Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) can check to determine if the compromised system is running on VMware.(Citation: Talos Bisonal Mar 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Bisonal](https://attack.mitre.org/software/S0268) has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Bisonal", "color": "#66b1ff"}]}