Bisonal

Malware updated a month ago (2024-11-29T14:07:28.781Z)
Download STIX
Preview STIX
Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file execution, process termination, and arbitrary disk file deletion. The Bisonal Remote Access Trojan (RAT) has been deployed in various campaigns against entities in Japan, Russia, and South Korea. It's noteworthy that a variant of Bisonal RAT was also used during Operation Bitter Biscuit, showcasing the malware's long-standing utility in cyber espionage. The deployment strategy of Bisonal involves sophisticated social engineering attacks. TAG-74, another group linked to China, has leveraged Microsoft Compiled HTML Help (CHM) files as lures in these intrusions. These lures are designed to deploy a new variant of the open-source Visual Basic Script backdoor called ReVBShell. Once initial access is established through ReVBShell, the Bisonal RAT is then distributed to enhance the attacker's capabilities within the compromised system. The operation of Bisonal includes a dropper that appends 80MB of binary data at the end of the Bisonal binary with the ASCII value "56MM". This dropper creates a registry entry to execute the Bisonal sample when the computer reboots, ensuring persistence on the infected device. With its multifaceted functionality and persistent deployment strategy, Bisonal represents a significant threat to cybersecurity, particularly for targeted regions such as Japan, Russia, and South Korea.
Description last updated: 2024-05-04T19:05:13.968Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Trojan
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Tonto Team Threat Actor is associated with Bisonal. Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, RussiUnspecified
2