BS2005

Malware updated 7 months ago (2024-05-05T03:18:09.702Z)

Download STIX

Preview STIX

BS2005 is a malicious software (malware) traditionally used by a cybercriminal group for harmful activities. The malware infiltrates systems via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. BS2005, known as a backdoor, communicates with the attacker's command and control (C2) through Internet Explorer using the COM interface IWebBrowser2. It leverages specific domains for C2 operations, causing significant security concerns. This malware has evolved over time, with its roots traced back to an earlier malware model called Flea backdoor Ketrican. Ketrican was based on BS2005, demonstrating the continuous development and sophistication of these threats. Recently, BS2005 has been observed to appear alongside additional backdoors RoyalCli and RoyalDNS. These new iterations represent advancements in the group's malware arsenal, increasing the potential damage they can cause. RoyalCli and RoyalDNS are notable evolutions of BS2005. They use familiar encryption and encoding routines, making them difficult to detect and mitigate. RoyalCli, like BS2005, also communicates with the attacker's C2 through Internet Explorer. The presence of these backdoors alongside BS2005 indicates an escalation in the threat landscape, necessitating more robust cybersecurity measures to counteract these sophisticated attacks.

Description last updated: 2024-05-05T03:05:02.555Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ketrican is a possible alias for BS2005. Ketrican is a type of malware, or malicious software, that was developed to exploit and damage computer systems. It's associated with the Ke3chang group and is known for its ability to infiltrate systems through suspicious downloads, emails, or websites. Once inside a system, Ketrican can steal pers	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The graphican Malware is associated with BS2005. Graphican is a novel malware developed by the Chinese threat actor group known as Flea, APT15, or Nickel. The malware, an evolution of the group's custom backdoor Ketrican, has been used in a series of cyber-attacks against foreign affairs ministries across Central and South America between late 202	Unspecified	2

Source Document References

Information about the BS2005 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	China-sponsored APT group targets government ministries in the Americas
DARKReading	a year ago	20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks
MITRE	2 years ago	APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS