Bisonal

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file execution, process termination, and arbitrary disk file deletion. The Bisonal Remote Access Trojan (RAT) has been deployed in various campaigns against entities in Japan, Russia, and South Korea. It's noteworthy that a variant of Bisonal RAT was also used during Operation Bitter Biscuit, showcasing the malware's long-standing utility in cyber espionage. The deployment strategy of Bisonal involves sophisticated social engineering attacks. TAG-74, another group linked to China, has leveraged Microsoft Compiled HTML Help (CHM) files as lures in these intrusions. These lures are designed to deploy a new variant of the open-source Visual Basic Script backdoor called ReVBShell. Once initial access is established through ReVBShell, the Bisonal RAT is then distributed to enhance the attacker's capabilities within the compromised system. The operation of Bisonal includes a dropper that appends 80MB of binary data at the end of the Bisonal binary with the ASCII value "56MM". This dropper creates a registry entry to execute the Bisonal sample when the computer reboots, ensuring persistence on the infected device. With its multifaceted functionality and persistent deployment strategy, Bisonal represents a significant threat to cybersecurity, particularly for targeted regions such as Japan, Russia, and South Korea.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
BISCUIT
1
"Biscuit" is a sophisticated malware variant that was notably used in an attack campaign titled "Operation Bitter Biscuit". This operation was first reported by AhnLab in October 2017, targeting entities in South Korea, Japan, India, and Russia. The offensive made use of the Bisonal remote access tr
BITTER
1
Bitter, also known as T-APT-17, is a suspected South Asian threat actor that has been involved in various cyber campaigns. The group has been active since at least August 2021, with its operations primarily targeting government personnel in Bangladesh through spear-phishing emails. The similarities
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Trojan
Apt
Malware
Malware Payl...
Government
Decoy
Phishing
Reconnaissance
Encryption
Beacon
Japan
Exploits
Dropper
Exploit
Rat
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ShadowPadUnspecified
1
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
DexbiaUnspecified
1
None
BioazihUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tonto TeamUnspecified
2
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi
Operation Bitter BiscuitUnspecified
1
Operation Bitter Biscuit, as reported by AhnLab, was a malicious campaign executed by a threat actor known as the Tonto Team. This operation targeted entities in South Korea, Japan, India, and Russia, with the initial report being published in October 2017. The main tools used in this cyber-attack w
TickUnspecified
1
Tick is a threat actor, also known as BRONZE BUTLER, that likely originates from the People's Republic of China. Secureworks® incident responders and Counter Threat Unit™ (CTU) researchers have been investigating activities associated with this group. Tick has deployed various tools and malware fami
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bisonal Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Tonto Team
CERT-EU
6 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
CERT-EU
10 months ago
South Korea subjected to multi-year Chinese cyberespionage campaign
CERT-EU
10 months ago
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
CERT-EU
10 months ago
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
10 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
Recorded Future
10 months ago
Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities | Recorded Future
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Tonto Team
MITRE
a year ago
Bisonal: 10 years of play
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
CactusPete APT group’s updated Bisonal backdoor
MITRE
a year ago
Bisonal Malware Used in Attacks Against Russia and South Korea