BBSRAT is a malware, typically packaged within a portable executable file, although in some instances, it has been discovered within a raw DLL. This harmful program is designed to exploit and damage computers or devices and can be delivered through suspicious downloads, emails, or websites. In the most recent attack campaign using BBSRAT, the adversary appears to have deployed purpose-built variants and/or infrastructure for each of the intended targets, indicating a high level of sophistication and customization. The malware was observed being deployed via a downloader that used the Invoke-ReflectivePEInjection.ps1 script from the PowerSploit framework.
The first known attack using BBSRAT was observed in August 2015 as part of the "Roaming Tiger" campaign. During this attack, weaponized exploit documents were used which left Russian language decoy document files after infecting the system. In more recent attacks, the Trojan was found in AutoFocus, a cybersecurity tool, highlighting the evolving nature of the threat. Palo Alto Networks' WildFire technology has been successful in classifying BBSRAT malware samples as malicious, providing a degree of defense against this threat.
BBSRAT accepts many possible commands that the C2 (Command and Control) server can provide, giving attackers a wide range of options for exploiting infected systems. Upon execution, BBSRAT loads certain libraries at runtime, starting its disruptive operations. The downloaded executable contains a copy of the BBSRAT malware family, further propagating the threat. To protect against BBSRAT and similar threats, users are advised to avoid suspicious downloads, emails, and websites, and to regularly update their security software.