LTS Secure Warning: Bisonal Malware breaches Defence security system via malicious Pdf.

In 2013, both COSEINC and FireEYE reveled attack using Bisonal Malware on Japanese organization. Later in 2017, AhnLab published a report about Operation Bitter Biscute an attack campaign against Japan, South Korea, Russia, and India using Bisonal Malware. It is discovered that it is carried by weaponised PDF Icon that mainly targeting the organizations related to government and defence industries.

Technical Details

Researchers identified two primary differences between the old version of Bisonal malware and the new version that includes C2 communication, code rewritten and the malware authors added many evasion techniques to maintain the persistence.

Currently distributing malware campaign mainly focus on Russia and South Korea, which contain some of the common attacks compare with the old version.

  • Usually targeting organizations related to government, military, or defence industries in South Korea, Russia, and Japan.
  • In some cases, the use of Dynamic DNS (DDNS) for C2 servers.
  • The use of a target or campaign code with its C2 to track victim or attack campaign connections.
  • Disguising the Bisonal malware as a PDF, Microsoft Office Document, or Excel file.
  • The use of a decoy file in addition to the malicious PE file

Impact

Bisonal module, which is a targeted attack mostly industries that belongs to communication security services, telecommunication systems, and defence using spear-phishing emails.

Email body contains some information for defence workers along with an attached PDF document that contains an executable file. Once the infected PDF that contains malicious executable attachment is opened, the main payload is dropped in the victim machine and displays a decoy file to the victim. Dropped Decoy file belongs to the Bisonal Malware Family and it hides the encrypted Bisonal DLL file and non-malicious decoy file at the end of the body. Bisonal malware main module using a different cipher for C2 communication using the same key since 201, also a large part of the code has been re-written. Later Bisonal variant sends HTTP POST request to the C2 server and share the IP address of the compromised machine.

Recommended Actions

The attackers behind Bisonal have been active for at least 7 years, and the variant used against the Russian and South Korean targets discussed in this blog in the wild since 2014. Since the attackers frequently rewrite functions from scratch and avoid reusing infrastructures

Palo Alto Networks customers are protected from this threat by:

  • WildFire detects all Bisonal files with malicious verdicts.
  • AutoFocus customers can track these samples with the Bisonal
  • Traps blocks all of the files associated with Bisonal.

To know more about Bisonal Malwaare, click on the link.