Chinese hackers use decade-old Bisonal Trojan in cyberespionage campaigns

The RAT’s core functions remain the same but it is unusual that the malware has been rehashed over so many years.

Researchers suspect Lazarus is developing its own Dacls trojan
0:51

Chinese cyberattackers continue to improve and deploy a decade-old Remote Access Trojan (RAT) in ongoing campaigns against Russian, Japanese, and South Korean targets.

On Thursday, researchers from Cisco Talos said that the Bisonal RAT is an unusual sample of malware that has been improved, rolled back, and refined over a period of 10 years, an uncommon practice by threat actors who more often will overhaul their weapons arsenal with new tools and software over time.  

In a report shared exclusively with ZDNet ahead of publication, Talos said the Trojan has been linked to Tonto Team, a suspected Chinese state-sponsored Advanced Persistent Threat (APT) group belonging to the Chinese military. 

According to FireEye (.PDF), Tonto Team is potentially based at the Shenyang Military Region Technical Reconnaissance Bureau and may have been involved in 2017 attacks against South Korea's Terminal High-Altitude Air Defense (THAAD) missile system, deployed in response to North Korean missile tests. 

Previous Tonto Team attacks have also been connected to targets in Russia, Japan, and South Korea. 

Cisco Talos cybersecurity researchers Warren Mercer, Paul Rascagneres and Vitor Ventura say that Bisonal has been spotted in recent campaigns against the same countries, with a particular focus on Russian speakers. 

"Their campaigns had very specific targets which would suggest their end game was more around operational intelligence gathering and espionage," Talos says. 

The first stage of the attack chain is usually a spear-phishing email, sometimes bolstered via social engineering, containing a lure document. 

See also: New SectopRAT Trojan creates hidden second desktop to control browser sessions

Previous attack waves, dating back to 2009, used malicious documents related to national research, the military, and the South Korean government; as well as state-owned Russian companies and conferences.  

More recently, Talos has identified a Russian RTF document designed to drop a winhelp.wll file containing Bisonal, alongside a variety of South Korean documents using similar RTF exploits to drop the malware. The Russian example relates to research, whereas the South Korean phishing email attachments claim to relate to the country's government. 

Bisonal has a history going back a decade. First compiled on December 24, 2010, the oldest version of the Trojan was its most simple variant; designed as malware which used a Windows API to execute threads containing the code of the malware. 

Only three commands were implemented; command execution via the ShellExecuteW() API; the ability to list running processes, and clean-up functions.

The 2010 version has one common factor with its latest evolution -- the use of dynamic DNS in relation to communication with its command-and-control (C2) server, a feature still in use today. 

A year later, Bisonal was given obfuscation upgrades, including the disguise of function names and API usage through string splitting. Later in the year, a new version was released with XOR encoding and added support for proxy servers.

The cleaning function was removed -- potentially by accident -- only to be re-implemented during another version in 2011.  

By the end of the year, Bisonal was transformed into a lightweight, simple library executed via a launcher. While many functions were stripped out, the malware contained new espionage capabilities including file exfiltration, file listing, process killing, and file deletion.  

CNET: Clearview AI probed over facial recognition sales to foreign governments

Throughout 2012, the developer swung back-and-forth between hiding malicious code in libraries, changing hardcoded C2 variables, tampering with the code to establish itself as a Windows service, and eventually switching to a .exe format. 

No new samples were found in 2013. However, in 2014, the Bisonal developers relaunched with an MPRESS packer, as well as a switch from XOR to a new custom algorithm designed to improve obfuscation. In addition, a large part of the code was rewritten, including a move from raw sockets to connect to the C2 to WinInet.

Two years later, Bisonal underwent a packer change which made analysis more difficult which involved what the researchers call "useless jumps and calls" and almost no direct calls to functions.

During 2018, the RAT's developer began experimenting with the MFC framework and Visual C libraries -- but also became somewhat sloppy; including strings in clear text and forgetting to obfuscate important functions. 

Massive overhauls took place last year including the rollback of past mistakes, the implementation of new packers, two new obfuscation algorithms, anti-sandbox techniques including the use of junk code and a new Microsoft Office extension -- an RTF document -- that utilizes CVE-2018-0798, an Equation Editor vulnerability that permits remote code execution on a vulnerable machine. 

TechRepublic: Almost half of mobile malware are hidden apps

An interesting change is a multi-stage infection technique. The vulnerability is used to transfer the malware's dropper, but it will not execute until an Office application is opened and a reboot is performed. The dropper also appends 80MB of binary data at the end of the Bisonal binary, which Talos suspects may be an anti-analysis technique to combat tools and sandboxes with size restrictions, such as the VirusTotal API. 

"The development of Bisonal has been active for over a decade," the researchers say. "Specific functions are still used today, many years after the original implementation of the Bional malware. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors. We don't see any reason why this actor will stop in the near future."

Spear-phishing remains a common attack vector for enterprise companies and a threat that should be taken seriously. Paul Rascagneres, a threat researcher at Cisco Talos, told us: 

"Spear-phishing is the main infection vector for espionage campaigns. The new publication shows us it is massively used. The document looks realistic and sometimes they are real, the attackers take real documents and add malicious payloads inside.  It is important to implement email protection and to train users by doing fake spear phishing campaign for example."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0