BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

ID: G0060
Associated Groups: REDBALDKNIGHT, Tick
Contributors: Trend Micro Incorporated
Version: 1.3
Created: 16 January 2018
Last Modified: 12 October 2021

Associated Group Descriptions

Name Description
REDBALDKNIGHT

[1][3]

Tick

[1][4][3]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.[2][3]

Enterprise T1087 .002 Account Discovery: Domain Account

BRONZE BUTLER has used net user /domain to identify account information.[2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BRONZE BUTLER malware has used HTTP for C2.[2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[2][3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.[2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BRONZE BUTLER has used PowerShell for execution.[2]

.003 Command and Scripting Interpreter: Windows Command Shell

BRONZE BUTLER has used batch scripts and the command-line interface for execution.[2]

.005 Command and Scripting Interpreter: Visual Basic

BRONZE BUTLER has used VBS and VBE scripts for execution.[2][3]

.006 Command and Scripting Interpreter: Python

BRONZE BUTLER has made use of Python-based remote access tools.[3]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.[2]

Enterprise T1005 Data from Local System

BRONZE BUTLER has exfiltrated files stolen from local systems.[2]

Enterprise T1039 Data from Network Shared Drive

BRONZE BUTLER has exfiltrated files stolen from file shares.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

BRONZE BUTLER downloads encoded payloads and decodes them on the victim.[2]

Enterprise T1189 Drive-by Compromise

BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.[4]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.[2]

Enterprise T1203 Exploitation for Client Execution

BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.[4][3]

Enterprise T1083 File and Directory Discovery

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.[2]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.[3]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.[3]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.[2]

Enterprise T1105 Ingress Tool Transfer

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[2]

Enterprise T1036 Masquerading

BRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF.[3]

.002 Right-to-Left Override

BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.[3]

.005 Match Legitimate Name or Location

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[2]

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.[2][3]

.003 Obfuscated Files or Information: Steganography

BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.[3]

Enterprise T1588 .002 Obtain Capabilities: Tool

BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.[4]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.[4][3]

Enterprise T1018 Remote System Discovery

BRONZE BUTLER typically use ping and Net to enumerate systems.[2]

Enterprise T1053 .002 Scheduled Task/Job: At

BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.[2]

.005 Scheduled Task/Job: Scheduled Task

BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.[2]

Enterprise T1113 Screen Capture

BRONZE BUTLER has used a tool to capture screenshots.[2][3]

Enterprise T1518 Software Discovery

BRONZE BUTLER has used tools to enumerate software installed on an infected host.[3]

Enterprise T1007 System Service Discovery

BRONZE BUTLER has used TROJ_GETVERSION to discover system services.[3]

Enterprise T1124 System Time Discovery

BRONZE BUTLER has used net time to check the local time on a target system.[2]

Enterprise T1080 Taint Shared Content

BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share.[2]

Enterprise T1550 .003 Use Alternate Authentication Material: Pass the Ticket

BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.[2]

Enterprise T1204 .002 User Execution: Malicious File

BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.[4][3]

Enterprise T1102 .001 Web Service: Dead Drop Resolver

BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.[2]

Software

ID Name References Techniques
S0469 ABK [3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Obfuscated Files or Information: Steganography, Process Injection, Software Discovery: Security Software Discovery
S0110 at [2] Scheduled Task/Job: At
S0473 Avenger [3] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Obfuscated Files or Information: Steganography, Process Discovery, Process Injection, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery
S0470 BBK [3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Native API, Obfuscated Files or Information: Steganography, Process Injection
S0471 build_downer [3] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Native API, Obfuscated Files or Information: Steganography, Software Discovery: Security Software Discovery, System Information Discovery, System Time Discovery
S0106 cmd [2] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0187 Daserf [1][4] Application Layer Protocol: Web Protocols, Archive Collected Data, Archive Collected Data: Archive via Utility, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Data Obfuscation: Steganography, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Screen Capture, Subvert Trust Controls: Code Signing
S0472 down_new [3] Application Layer Protocol: Web Protocols, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Process Discovery, Software Discovery, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery
S0008 gsecdump [2][4] OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager
S0002 Mimikatz [2][4][3] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [2] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0111 schtasks [2] Scheduled Task/Job: Scheduled Task
S0596 ShadowPad [5] Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal on Host, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0005 Windows Credential Editor [2][4] OS Credential Dumping: LSASS Memory

References