Bisonal Malware Used in Attacks Against Russia and South Korea
Contents
This post is also available in: 日本語 (Japanese)
Summary
In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents.
Attacks using Bisonal have been blogged about in the …
Summary
In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents.
Attacks using Bisonal have been blogged about in the …
IoC
0641FE04713FBDAD272A6F8E9B44631B7554DFD1E1332A8AFA767D845A90B3FA
0641fe04713fbdad272a6f8e9b44631b7554dfd1e1332a8afa767d845a90b3fa
1128D10347DD602ECD3228FAA389ADD11415BF6936E2328101311264547AFA75
116.193.155.38
196.44.49.154
359835C4A9DBE2D95E483464659744409E877CB6F5D791DAA33FD601A01376FC
43459F5117BEE7B49F2CEE7CE934471E01FB2AA2856F230943460E14E19183A6
43459f5117bee7b49f2cee7ce934471e01fb2aa2856f230943460e14e19183a6
B1DA7E1963DC09C325BA3EA2442A54AFEA02929EC26477A1B120AE44368082F8
B2B764597D097FCB93C5B11CBD864AB1BCB894A2A1E2D2DE1C469880F612431C
DFA1AD6083AA06B82EDFA672925BB78C16D4E8CB2510CBE18EA1CF598E7F2722
F431E0BED6B4B7FFEF5E40B1B4B7078F2538F2B2DB2869D831DE5D7DF26EE6CD
b1da7e1963dc09c325ba3ea2442a54afea02929ec26477a1b120ae44368082f8
dfa1ad6083aa06b82edfa672925bb78c16d4e8cb2510cbe18ea1cf598e7f2722
http://116.193.155.38
http://196.44.49.154
http://euiro8966.organiccrap.com
http://games.my-homeip.com
http://games.my-homeip.com:443/ks8d
http://jennifer998.lookin.at
http://kted56erhg.dynssl.com
http://www.hosting.tempors.com
0641fe04713fbdad272a6f8e9b44631b7554dfd1e1332a8afa767d845a90b3fa
1128D10347DD602ECD3228FAA389ADD11415BF6936E2328101311264547AFA75
116.193.155.38
196.44.49.154
359835C4A9DBE2D95E483464659744409E877CB6F5D791DAA33FD601A01376FC
43459F5117BEE7B49F2CEE7CE934471E01FB2AA2856F230943460E14E19183A6
43459f5117bee7b49f2cee7ce934471e01fb2aa2856f230943460e14e19183a6
B1DA7E1963DC09C325BA3EA2442A54AFEA02929EC26477A1B120AE44368082F8
B2B764597D097FCB93C5B11CBD864AB1BCB894A2A1E2D2DE1C469880F612431C
DFA1AD6083AA06B82EDFA672925BB78C16D4E8CB2510CBE18EA1CF598E7F2722
F431E0BED6B4B7FFEF5E40B1B4B7078F2538F2B2DB2869D831DE5D7DF26EE6CD
b1da7e1963dc09c325ba3ea2442a54afea02929ec26477a1b120ae44368082f8
dfa1ad6083aa06b82edfa672925bb78c16d4e8cb2510cbe18ea1cf598e7f2722
http://116.193.155.38
http://196.44.49.154
http://euiro8966.organiccrap.com
http://games.my-homeip.com
http://games.my-homeip.com:443/ks8d
http://jennifer998.lookin.at
http://kted56erhg.dynssl.com
http://www.hosting.tempors.com