1. Home
  2. Groups
  3. BRONZE BUTLER

BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

ID: G0060
Associated Groups: REDBALDKNIGHT, Tick
Contributors: Trend Micro Incorporated
Version: 1.3
Created: 16 January 2018
Last Modified: 12 October 2021

Associated Group Descriptions

Name Description
REDBALDKNIGHT

[1][3]
Tick

[1][4][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

BRONZE BUTLER has exfiltrated files stolen from local systems.[2]
Enterprise T1039 从网络共享驱动器获取数据

BRONZE BUTLER has exfiltrated files stolen from file shares.[2]
Enterprise T1036 伪装

BRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF.[3]
.002 Right-to-Left Override

BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.[3]
.005 Match Legitimate Name or Location

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[2]
Enterprise T1550 .003 使用备用认证材料: Pass the Ticket

BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.[2]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.[2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.[3]
Enterprise T1140 反混淆/解码文件或信息

BRONZE BUTLER downloads encoded payloads and decodes them on the victim.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

BRONZE BUTLER has used PowerShell for execution.[2]
.003 命令与脚本解释器: Windows Command Shell

BRONZE BUTLER has used batch scripts and the command-line interface for execution.[2]
.005 命令与脚本解释器: Visual Basic

BRONZE BUTLER has used VBS and VBE scripts for execution.[2][3]
.006 命令与脚本解释器: Python

BRONZE BUTLER has made use of Python-based remote access tools.[3]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.[3]
Enterprise T1203 客户端执行漏洞利用

BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.[4][3]
Enterprise T1113 屏幕捕获

BRONZE BUTLER has used a tool to capture screenshots.[2][3]
Enterprise T1071 .001 应用层协议: Web Protocols

BRONZE BUTLER malware has used HTTP for C2.[2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[2][3]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.[2]
Enterprise T1083 文件和目录发现

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.[2]
Enterprise T1080 污染共享内容

BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share.[2]
Enterprise T1189 浏览器攻击

BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.[4]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.[2][3]
.003 混淆文件或信息: Steganography

BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.[3]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.[2][3]
Enterprise T1204 .002 用户执行: Malicious File

BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.[4][3]
Enterprise T1070 .004 移除指标: File Deletion

The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.[2]
Enterprise T1124 系统时间发现

BRONZE BUTLER has used net time to check the local time on a target system.[2]
Enterprise T1007 系统服务发现

BRONZE BUTLER has used TROJ_GETVERSION to discover system services.[3]
Enterprise T1102 .001 网络服务: Dead Drop Resolver

BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.[2]
Enterprise T1588 .002 获取能力: Tool

BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.[4]
Enterprise T1087 .002 账号发现: Domain Account

BRONZE BUTLER has used net user /domain to identify account information.[2]
Enterprise T1518 软件发现

BRONZE BUTLER has used tools to enumerate software installed on an infected host.[3]
Enterprise T1105 输入工具传输

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[2]
Enterprise T1018 远程系统发现

BRONZE BUTLER typically use ping and Net to enumerate systems.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.[4][3]
Enterprise T1053 .002 预定任务/作业: At

BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.[2]
.005 预定任务/作业: Scheduled Task

BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.[2]

Software

ID Name References Techniques
S0469 ABK [3] 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 混淆文件或信息: Steganography, 软件发现: Security Software Discovery, 输入工具传输, 进程注入
S0110 at [2] 预定任务/作业: At
S0473 Avenger [3] 反混淆/解码文件或信息, 应用层协议: Web Protocols, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Steganography, 系统信息发现, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程注入
S0470 BBK [3] 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 本机API, 混淆文件或信息: Steganography, 输入工具传输, 进程注入
S0471 build_downer [3] 伪装: Masquerade Task or Service, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 本机API, 混淆文件或信息: Steganography, 系统信息发现, 系统时间发现, 软件发现: Security Software Discovery, 输入工具传输
S0106 cmd [2] 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 横向工具传输, 移除指标: File Deletion, 系统信息发现, 输入工具传输
S0187 Daserf [1][4] 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 归档收集数据, 操作系统凭证转储: LSASS Memory, 数据混淆: Steganography, 数据编码: Standard Encoding, 混淆文件或信息: Software Packing, 混淆文件或信息, 混淆文件或信息: Indicator Removal from Tools, 输入工具传输, 输入捕获: Keylogging, 颠覆信任控制: Code Signing
S0472 down_new [3] 加密通道: Symmetric Cryptography, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 系统信息发现, 系统网络配置发现, 软件发现: Security Software Discovery, 软件发现, 输入工具传输, 进程发现
S0008 gsecdump [2][4] 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets
S0002 Mimikatz [2][4][3] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [2] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0111 schtasks [2] 预定任务/作业: Scheduled Task
S0596 ShadowPad [5] 修改注册表, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 应用层协议: DNS, 应用层协议: File Transfer Protocols, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 混淆文件或信息: Fileless Storage, 混淆文件或信息, 移除指标, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 非应用层协议, 预定传输
S0005 Windows Credential Editor [2][4] 操作系统凭证转储: LSASS Memory

References

  1. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  2. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  3. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  1. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  2. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.