Bh_a006

Malware updated 6 months ago (2024-05-05T11:17:52.206Z)
Download STIX
Preview STIX
BH_A006 is a sophisticated malware, named after the string constantly found in PDB paths and internal names of DLL libraries associated with the backdoor. This malware is part of the BH_A006 family of backdoor samples, which has been found to use an obfuscated unknown protector at one of its stages. The execution chain of the BH_A006 backdoor reveals a unique technique used for converting a PE file into an autonomous compressed shellcode. This malware is known for its nontrivial payload execution scheme, which can vary at the initial stages in different samples, making it particularly challenging to detect and neutralize. The malware is associated with the Space Pirates toolkit, which includes unique downloaders and several backdoors that are presumably specific to the group. These include MyKLoadClient, BH_A006, and Deed RAT. BH_A006 has been linked to multiple IP addresses, including 45.77.16.91, 103.101.178.152, 123.1.151.64, 154.85.48.108, 154.213.21.207, 192.225.226.123, and 192.225.226.217, indicating a wide reach and potential for significant damage. The BH_A006 malware is built on the code of the popular Gh0st backdoor, but features additional modifications that often include multiple layers of obfuscation. This not only helps the malware defeat security tools, but also complicates the analysis procedure, making it harder for cybersecurity experts to understand and mitigate its impact. The sophistication of BH_A006's design and implementation underscores the evolving threat landscape and the need for robust, adaptable cyber defenses.
Description last updated: 2024-05-05T10:38:02.211Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Bh_a006 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago