BBSRAT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.[1] |
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BBSRAT uses Expand to decompress a CAB file into executable content.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.[1] |
| Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList |
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[1] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.[1] |
| Enterprise | T1007 | System Service Discovery | ||
| Enterprise | T1569 | .002 | System Services: Service Execution | |