BBSRAT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .015 | 事件触发执行: Component Object Model Hijacking |
BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service | |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.[1] |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
BBSRAT uses Expand to decompress a CAB file into executable content.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.[1] |
| Enterprise | T1560 | .002 | 归档收集数据: Archive via Library |
BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.[1] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1569 | .002 | 系统服务: Service Execution | |
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .012 | 进程注入: Process Hollowing |
BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.[1] |