Bisonal

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file execution, process termination, and arbitrary disk file deletion. The Bisonal Remote Access Trojan (RAT) has been deployed in various campaigns against entities in Japan, Russia, and South Korea. It's noteworthy that a variant of Bisonal RAT was also used during Operation Bitter Biscuit, showcasing the malware's long-standing utility in cyber espionage. The deployment strategy of Bisonal involves sophisticated social engineering attacks. TAG-74, another group linked to China, has leveraged Microsoft Compiled HTML Help (CHM) files as lures in these intrusions. These lures are designed to deploy a new variant of the open-source Visual Basic Script backdoor called ReVBShell. Once initial access is established through ReVBShell, the Bisonal RAT is then distributed to enhance the attacker's capabilities within the compromised system. The operation of Bisonal includes a dropper that appends 80MB of binary data at the end of the Bisonal binary with the ASCII value "56MM". This dropper creates a registry entry to execute the Bisonal sample when the computer reboots, ensuring persistence on the infected device. With its multifaceted functionality and persistent deployment strategy, Bisonal represents a significant threat to cybersecurity, particularly for targeted regions such as Japan, Russia, and South Korea.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Trojan
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tonto TeamUnspecified
2
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Bisonal Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Bisonal Malware Used in Attacks Against Russia and South Korea
MITRE
a year ago
Bisonal: 10 years of play
MITRE
a year ago
CactusPete APT group’s updated Bisonal backdoor
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
CERT-EU
8 months ago
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
CERT-EU
4 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
CERT-EU
8 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of Japan, Russia, and South Korean entities
CERT-EU
10 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Tonto Team
CERT-EU
4 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Tonto Team
CERT-EU
8 months ago
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
8 months ago
South Korea subjected to multi-year Chinese cyberespionage campaign
Recorded Future
8 months ago
Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities | Recorded Future