Bisonal is a remote access tool that the Tonto Team has used to attack public and private sector organizations in Russia, South Korea, and Japan since at least 2010. The malware is designed to infect Windows systems and can gather system information, execute commands, and download and run files on the victim's machine. Bisonal is often delivered as a malicious attachment in an email and can persist on the system by adding itself to the Windows Registry. The malware has been packed with MPRESS in the past, and uses Base64 and ASCII encoding for data exfiltration.
Bisonal Malware Capabilities
Bisonal is a malware that may be used to enumerate files and directories, search for specific information, or interact with the native OS application programming interface. It may also use binary padding to increase the size of a binary beyond what some security tools are capable of handling. Additionally, Bisonal may transfer tools or other files from an external system into a compromised environment, or send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.Bisonal may use a number of techniques to avoid detection and analysis, including encrypting communication traffic, using proxy servers, and placing files in trusted locations. They may also employ time-based checks and alter their behavior based on the results of checks for virtual machine artifacts. In addition, Bisonal may delete files left behind by their activities and attempt to masquerade their artifacts as legitimate files.
- The adversary Bisonal may use obfuscated files or information to hide its tracks from analysis, and may use process discovery to learn about common software running on systems within a network in order to shape its follow-on behaviors. Additionally, Bisonal may use binary padding to increase the size of its binaries beyond what some security tools are capable of handling.
- Bisonal may transfer tools or other files from an external system into a compromised environment in order to gain access to victim systems. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment. In addition, Bisonal may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
- Bisonal is a malware that uses various techniques to avoid detection and evade defenses. These include using symmetric encryption to conceal command and control traffic, using proxies to direct traffic, and matching or approximating the names of legitimate files or resources.
- Bisonal may employ various means to detect and avoid virtualization and analysis environments.2. Bisonal may delete files left behind by the actions of their intrusion activity.3. Bisonal may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.
- Bisonal is a remote access tool that may be used to avoid detection by blending in with existing traffic. It may also abuse Visual Basic for execution and achieve persistence by adding an entry to the Registry or startup folder.
- According to the text, Bisonal may use various methods to avoid detection and execution of their code, including abusing rundll32.exe, packing their software, or using virtual machine software protection. These techniques may help them to conceal their code and avoid detection by security tools.
- Bisonal may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Additionally, Bisonal may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. An adversary may rely upon a user opening a malicious file in order to gain execution.
- Bisonal may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Additionally, Bisonal may dynamically establish connections to command and control infrastructure to evade common detections and remediations.
- Bisonal is a malware that may interact with the Windows Registry to gather information about the system, configuration, and installed software. It may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. Bisonal may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect.
Ways to Mitigate Bisonal Malware Attacks
- The article discusses various techniques that can be used to mitigate malware, including system and network discovery, script monitoring, and API call monitoring. These techniques can help to identify and prevent malicious activity.
- The article discusses bisonal malware mitigation, which is the detection of deobfuscating or decoding files or information. It is difficult to detect this behavior, but it is possible to detect it after the fact by monitoring process and command-line activity. Additionally, file-based signature scanning may be able to detect padded files, which are often used to conduct an intrusion.
- The article discusses various ways to mitigate the threat of malware, including monitoring for file creation and unusual process activity, using intrusion detection systems and email gateways, and detecting file obfuscation.
- There are several ways to mitigate malware using encryption, including analyzing network data for unusual activity, collecting file hashes, and monitoring files for changes.
- The bisonal malware mitigation technique involves analyzing network data for unusual or unexpected data flows. This may help to detect malicious activity, such as lateral movement, by observing suspicious processes that gather system information or perform other activities that are out of the norm. Additionally, registry changes may be monitored for suspicious activity, and changes to files within the startup folder may also be considered suspicious.
- Virtualization, sandboxing, user activity monitoring, and similar discovery techniques may be employed in order to detect and prevent malicious activity. Additionally, it is important to monitor for known deletion and secure deletion tools that may be used by an adversary, as well as for any unusual files or file activity that may be indicative of malicious activity.
- Another mitigation strategy involves analyzing network data for unusual or unexpected data flows, as well as monitoring system events for indications of malicious activity. Additionally, the Registry and start folder should be monitored for changes that could indicate an attempt at persistence by an attacker.
- System and network discovery, process monitoring, and file scanning. By using these methods, it is possible to detect anomalous activity that may be indicative of malicious activity.
- Monitor processes and command-line arguments for actions that could be taken to collect files from a system or create or modify services. Remote access tools with built-in features may interact directly with the Windows API to gather data or perform these functions outside of typical system utilities.
- The above text describes various methods of detecting and mitigating malware, including using frequency analysis and Markov chains to detect algorithm-generated domain names, and checking for recently registered or rarely visited domains. Additionally, command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone.
- The above text describes various methods that can be used to detect and mitigate malware. These include system and network discovery techniques, analysis of network traffic and data flows, and identification of unusual or unexpected activity. By using these methods, it is possible to detect and prevent malware infections and activity.
About Tonto team Threat Group
The Tonto team is a suspected Chinese state-sponsored cyber espionage threat group that has targeted various countries since at least 2009.