Researchers identified 2 primary difference between the old version of Bisonal malware and the new version that includes C2 communication, code rewritten and the malware authors added a lot of evasion techniques to maintain the persistence.
Currently distributing malware campaign mainly focus on Russia and South Korea which contain some of the common attacks compare with the old version.
- Usually targeting organizations related to government, military or defense industries in South Korea, Russia, and Japan.
- In some cases, the use of Dynamic DNS (DDNS) for C2 servers.
- The use of a target or campaign code with its C2 to track victim or attack campaign connections.
- Disguising the Bisonal malware as a PDF, Microsoft Office Document or Excel file.
- The use of a decoy file in addition to the malicious PE file
- In some cases, code to handle Cyrillic characters on Russian-language operating systems.
Bisonal Malware Attack Targets
Here we can see one of the examples Bisonal module which is a targeted attack against Russian based organization that belongs to communication security services, telecommunication systems and defense using spear-phishing emails.
Email body contains some information for defense workers along with attached PDF document that contains an executable file.
Once the Weaponized PDF that contains malicious executable attachment is opened, the main payload is dropped in the victim machine and displays a decoy file to the victim.
Dropped Decoy file belongs to Bisonal Malware Family and it hides the encrypted Bisonal DLL file and non-malicious decoy file at the end of the body.
Bisonal malware main module using a different cipher for C2 communication using the same key since 201, also a large part of the code has been re-written.
Later Bisonal variant send HTTP POST request to the C2 server and share the IP address of the compromised machine.
According to paloalto networks, Another sign of the infection is the data being sent to the C2 server during the initial connection. Every time this variant of Bisonal communicates with its C2, it sends a unique id number and backdoor command in the first eight bytes.
Soon after receiving the initial beacon from the victim infected with Bisonal, the C2 replies with a session id number and backdoor command.
Based on the commands compromised system will reply to the C&C server along with following backdoor command.
|0x000000C8||gets system info|
|0x000000C9||gets running process list|
|0x000000CB||accesses cmd shell|
Likewise, the targets are military or defense industry in particular countries such as South Korea, Japan, India and Russia and the researchers believe that there is a group behind this massive attack and investigation is still going on.
Dropper SHA256: B1DA7E1963DC09C325BA3EA2442A54AFEA02929EC26477A1B120AE44368082F8 0641FE04713FBDAD272A6F8E9B44631B7554DFD1E1332A8AFA767D845A90B3FA Bisonal SHA256: 43459F5117BEE7B49F2CEE7CE934471E01FB2AA2856F230943460E14E19183A6 DFA1AD6083AA06B82EDFA672925BB78C16D4E8CB2510CBE18EA1CF598E7F2722 1128D10347DD602ECD3228FAA389ADD11415BF6936E2328101311264547AFA75 359835C4A9DBE2D95E483464659744409E877CB6F5D791DAA33FD601A01376FC