Bisonal

Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file execution, process termination, and arbitrary disk file deletion. The Bisonal Remote Access Trojan (RAT) has been deployed in various campaigns against entities in Japan, Russia, and South Korea. It's noteworthy that a variant of Bisonal RAT was also used during Operation Bitter Biscuit, showcasing the malware's long-standing utility in cyber espionage. The deployment strategy of Bisonal involves sophisticated social engineering attacks. TAG-74, another group linked to China, has leveraged Microsoft Compiled HTML Help (CHM) files as lures in these intrusions. These lures are designed to deploy a new variant of the open-source Visual Basic Script backdoor called ReVBShell. Once initial access is established through ReVBShell, the Bisonal RAT is then distributed to enhance the attacker's capabilities within the compromised system. The operation of Bisonal includes a dropper that appends 80MB of binary data at the end of the Bisonal binary with the ASCII value "56MM". This dropper creates a registry entry to execute the Bisonal sample when the computer reboots, ensuring persistence on the infected device. With its multifaceted functionality and persistent deployment strategy, Bisonal represents a significant threat to cybersecurity, particularly for targeted regions such as Japan, Russia, and South Korea.