{ "id": "c1e5f01d-9839-4d59-9ba2-d0efd4961142", "created_at": "2026-04-06T00:20:13.778946Z", "updated_at": "2026-04-10T13:11:54.335866Z", "deleted_at": null, "sha1_hash": "c937bbd9eef86780cbacc655ca028a992018d91a", "title": "Bisonal: 10 years of play", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3696840, "plain_text": "Bisonal: 10 years of play\r\nBy Paul Rascagneres\r\nPublished: 2020-03-05 · Archived: 2026-04-05 17:07:11 UTC\r\nBy Warren Mercer, Paul Rascagneres and Vitor Ventura.\r\nUpdate 06/03/20: added samples from 2020.\r\nExecutive summary\r\nSecurity researchers detected and exposed the Bisonal malware over the past 10 years. But the Tonto team,\r\nthe threat actor behind it, didn't stop.\r\nThe victimology didn't change over time, either. Japanese, South Korean and Russian organizations were\r\nthe prime targets for this threat actor.\r\nThe malware evolved to lower its detection ratio and improve the initial vector success rate.\r\nWhat's new? Bisonal is a remote access trojan (RAT) that's part of the Tonto Team arsenal. The\r\npeculiarity of the RAT is that it's been in use for more than 10 years — this is an uncommon and\r\nlong period for malware. Over the years, it has evolved and adapted mechanisms to avoid\r\ndetection while keeping the core of its RAT the same. We identified specific functions here for\r\nmore than six years.\r\nHow did it work? Bisonal used multiple lure documents to entice their victims to open and then be\r\ninfected with Bisonal malware. This group has continued its operations for over a decade and they\r\ncontinue to evolve their malware to avoid detection. Bisonal primarily used spear phishing to\r\nobtain a foothold within their victims' networks. Their campaigns had very specific targets which\r\nwould suggest their end game was more around operational intelligence gathering and espionage.\r\nSo what? This is an extremely experienced group likely to keep their activities even after\r\nexposure, even if we identified mistakes and bad copy/paste, they are doing this job for more than\r\n10 years. We think that exposing this malware, explaining the behavior and the campaigns where\r\nBisonal was used is important to protect the potential future targets. The targets to this point are\r\nlocated in the public and private sectors with a focus on Russia, Japan and South Korea. We\r\nrecommend the entities located in this area to prepare for this malware and actor and implement\r\ndetections based on the technical details provided in this article.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 1 of 43\n\nWe identified a couple of decoy documents pointing to the victims. During the Heartbeat campaign documented in\r\n2012 by Trend Micro, dating back to 2009, the attacker used Hangul Word Processor (HWP) decoy documents.\r\nThis file format is mainly used in South Korea. The report mentioned political parties, media outfits, a national\r\npolicy research institute, a military branch of South Korean armed forces, a small business sector organization and\r\nbranches of the South Korean government. Later in 2018, Unit 42 released a Bisonal paper where we can see a\r\nspear-phishing campaign in Russian and a decoy document alleged to be from Rostec, a Russian state-owned\r\nholding conglomerate headquartered in Moscow.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 2 of 43\n\nFinally, in 2018, Ahnlab released a paper about \"Operation Bitter Biscuit\" where Bisonal was used against Korean\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 3 of 43\n\nand Japanese entities. India is also mentioned, but it was by another malware named \"Bioazih\" by Ahnlab. In this\r\npaper, the editor mentions targets such as manufacturers, defense industry and government.\r\nAdditionally, we can provide additional decoy documents. For example, a Korean document used in September\r\n2014 where the title was \"Contact member and counselor of the Agriculture, Forestry, Livestock, Food and Marine\r\nFisheries Committee:\"\r\nOr a Russian document about the CIPR Digital conference used in April 2018. This is an application document\r\nthat has been used to provide a decoy to the Bisonal malware. This conference has some high-ranking government\r\nand business attendees.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 4 of 43\n\nIn 2019, a Russian RTF document — судалгаа.doc (research.doc) — was used with an exploit to drop the\r\nwinhelp.wll file, which contains Bisonal.\r\nLast year, we also identified multiple Korean decoy documents using similar RTF exploits to deliver Bisonal,\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 5 of 43\n\nnamely ☆2020년도 예산안 운영위 서면질의 답변서_발간(1).doc (State Council Candidate (Minister of Justice\r\nChumiae) Personnel Hearing Execution Plan (1) .doc) and 국무위원후보자(법무부장관 추미애) 인사청문회\r\n실시계획서(1).doc (Written Inquiry from the 2020 Budget Operation Committee (Published) (1) .doc) which are\r\nboth alleged government documents.\r\nBased on our research and the released paper mentioned above, the Bisonal malware is part of the Tonto Team\r\narsenal. Tonto Team was mentioned in the media in 2017 as one of the actors who targeted South Korea, when the\r\ncountry announced it would deploy a Terminal High-Altitude Air Defense (THAAD) in response to North Korean\r\nmissile tests. At this time, researchers connected the Tonto Team to China.\r\n10 years of evolution\r\nIntroduction\r\nThe first variant of Bisonal publicly released went by the name of \"HeartBeat.\" At the end of\r\n2019, the actor changed their TTP and started using the Microsoft Office extension (.wll) to\r\nexecute the Bisonal payload. Based on this recent change, we decided to dive into the 10 years of\r\nevolution of Bisonal. To do so, we analysed more than 50 different samples and focused on the\r\nchanges that appear during the years of usage.\r\n2010: the birth\r\nThe oldest version of Bisonal we identified was compiled on Dec. 24, 2010. This version is the\r\nsimplest we identified. The attacker created a Windows library (.dll) designed as a Windows\r\nservice (ServiceMain() entry point). When executed, the malware uses the Windows API to\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 6 of 43\n\ncommunicate with the Service Control Manager (SCM) and finally execute a thread. This thread\r\ncontains the code of the malware.\r\nThe C2 server of this first Bisonal variant is young03[.]myfw[.]us (port 8888). We can notice the usage of a\r\ndynamic DNS service. This is a Bisonal pattern. Even the newest version we identified used this kind of service.\r\nThe domain name was not obfuscated:\r\nThe IP address is a rollback if the first C2 server is down. In this campaign, the rollback was not used as it is\r\nconfigured to localhost. The communication to the C2 server is performed by using raw sockets:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 7 of 43\n\nThe first action of the malware is to send the hostname of the infected system and the \"kris0315\" string. The sent\r\ndata is not encrypted or obfuscated. We assume the string is an identifier:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 8 of 43\n\nThe malware supports only three commands:\r\nCommand execution: The execution is performed by the ShellExecuteW() API\r\nListing the running processes\r\nCleaning the malware: The malware first removes the registry key of the service and removes the library.\r\nAs the library is currently running, the deletion cannot be performed immediately. The developer decided\r\nto use MoveFileEx() API with the MOVE_DELAY_UNTIL_REBOOT to remove the file at the reboot.\r\nThe malware contains the Bisonal string. It is interesting to notice the string is not used but is still visible:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 9 of 43\n\nThe sample was used in the HeartBeat campaign mentioned above.\r\nSha256: ba0bcf05aaefa17fbf99b1b2fa924edbd761a20329c59fb73adbaae2a68d2307\r\nC2 server: young03[.]myfw[.]us\r\n2011: obfuscation my darling \u0026 more espionage capabilities\r\n2011 March: commect()\r\nWe identified a sample from March 18, 2011. The sample is really similar to the variant from 2010. We can\r\nnotice that the developers wanted to hide some API usage. They use the LoadLibrary() API followed by\r\nGetProcAdress(). But they obfuscated the function name strings by splitting it in two. Here is an example:\r\nOnce the two strings are concatenated and with the little-endian, the string becomes \"commect.\" After the malware\r\nreplaces the \"m\" by \"n:\"\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 10 of 43\n\nThey use this trick for a couple of other API such as CreateThread(), CreatePipe(), PeekNamedPipe(),\r\nCreateProcessA(), CreateToolhelp32Snapshot(), ReadFile(), WriteFile() and, finally, the string \"cmd.exe.\"\r\nThe attacker also implemented a new order: execution of a command by using named pipe to get the output of the\r\nexecuted command. The attackers execute cmd.exe, followed by the command to be executed. An interesting\r\npoint is the adding of a charset on each executed command:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 11 of 43\n\nThis charset is designed to cover languages that use Cyrillic script such as Russian, Bulgarian and Serbian. This\r\nhardcoded string could be an indicator concerning the targets of this malware.\r\nsha256 : bb61cc261508d36d97d589d8eb48aaba10f5707d223ab5d5e34d98947c2f72af\r\nC2 server: kissyou01[.]myfw[.]us\r\n2011 September: The big changes\r\nThe developer decided to remove the MFC library and put almost all the code in a unique function. The\r\nnumber of functions is divided by three. Here is the main thread graph flow:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 12 of 43\n\nAdditionally, the string such as the domain names of the URLs is encoded by using the XOR algorithm (0x1f for\r\nexample). The network communication is also obfuscated with a XOR (0x28).\r\nOn the version, the attacker supports the proxy server. It was a limitation of the previous variants. If the target\r\nwould have a proxy, the malware would not be able to communicate outside. The attacker retrieves the proxy\r\nconfiguration in the registry:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 13 of 43\n\nThe network communication is divided in two parts. The first part uses the Microsoft Windows Wininet library.\r\nThe purpose is to send reconnaissance information to the attackers. The data is sent to the server via\r\nInternetOpenA() and InternetOpenURLA(). The C2 server of the analysed sample is\r\nhxxp://fund[.]cmc[.]or[.]kr/UploadFile/fame/x/o0.asp. The malware sent to the operator the following\r\ninformation: the campaign ID (named Flag by the developer), the hostname of the compromised system, the IP\r\naddress, the OS version, the proxy server of the system and if the system is running on VMware. To get this\r\ninformation, the attacker the VMXh-Magic-Value (0x0a). The second part of the communication is dedicated to\r\nthe orders and the exfiltration. This part is similar to the previous samples: raw sockets usage.\r\nThe features of the malware are the same as previously with new capabilities such as file creation and removal.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 14 of 43\n\nThe author removed the malware cleaning feature and implements two others features: the developer adds\r\nPostThreadMessageW() to send message inside the thread and in the previous version the developer used\r\nTerminalProcess() API to stop the process executed via the named pipes, in the version the developer append the\r\n\"exit\\r\\b\" string to the executed command in order to exit properly:\r\nAnother interesting change is the fact they don't use CHCP command anymore to force the charset but use code\r\npage. You can see in the screenshot 0x4E3 (1251 - Cyrillic Russian) and 0x362 (866 - DOS Cyrillic Russian):\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 15 of 43\n\nSha256: 43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280\r\nC2 for the orders: dnsdns1[.]PassAs[.]us\r\nC2 URL for reconnaissance: hxxp://fund[.]cmc[.]or[.]kr/UploadFile/fame/x/o0.asp\r\n2011 October: oops where is my cleaning function?\r\nIn October 2011, the attacker re-implements the cleaning function.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 16 of 43\n\nIn this implementation, the developer first uses the Windows service management API in order to remove the\r\nservice (instead of removing directly the registry key as he did previously) and, finally, remove the file with the\r\nsame API as previously (MoveFileExA()).\r\nSha256:43459f5117bee7b49f2cee7ce934471e01fb2aa2856f230943460e14e19183a6\r\nC2 for the orders: jennifer998[.]lookin[.]at\r\nC2 for rollback: 196[.]44[.]49[.]154\r\nC2 URL for reconnaissance: hxxp://fund[.]cmc[.]or[.]kr/UploadFile/fame/x/o0.asp\r\n2011 December: Not a service anymore\r\nThe new variant from December 2011 is not a service anymore but a simple library (.dll). The library is\r\nexecuted via a launcher (conime.exe) and the persistence mechanism is not a service anymore but a registry\r\nkey (CurrentVersion\\\\Run\\\\task).\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 17 of 43\n\nThe malware is lighter than the previous version but includes more espionage features such as file exfiltration, file\r\nlisting, driver listing, process-killing, file removing. The other features are the same as previously.\r\nIt is interesting to note that the obfuscated reconnaissance is still hard-coded in the binary but it is not used\r\nanymore. The code used for the reconnaissance was removed but the developer forgot the IP variable.\r\nSha256: 915ad316cfd48755a9e429dd5aacbee266aca9c454e9cf9507c81b30cc4222e5\r\nC2 for the orders: v3net[.]rr[.]nu\r\nC2 for rollback: faceto[.]UglyAs[.]com\r\nC2 URL for reconnaissance: hxxp://fund[.]cmc[.]or[.]kr/UploadFile/fame/x/mh/o.asp\r\nHardcoded identifiers\r\nIn this version, we identify hard coded identifiers. We assume these IDs are campaign or target ID. Here is\r\na list of IDs:\r\n1031\r\njp0201\r\njp-serv\r\nmhi\r\nm1213\r\nclassnk\r\n95mhi\r\nnscsvc\r\nIn the next version, a campaign ID will be also used. The ID we believe is in reference to Japan targets. We\r\nbelieve these targets to sit within both the public and private sectors and they are specifically targeted to\r\nfurther enhance the attacker's capabilities through espionage.\r\n2012: File format year\r\nFebruary: Let's hide my code in an almost legit library\r\nIn February 2012, the developer tried to hide the malicious code in the middle of a legit library. The\r\nmalicious library was named msacm32.dll and contains the same exports as a legit library from Microsoft\r\nWindows named msacm.dll. Here is the export of the malicious library with the same name than the real\r\none:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 18 of 43\n\nAs previously the hard-coded C2 for reconnaissance variable is here. Without being used.\r\nSha256: 6f8bbea18965b21dc8b9163a5d5205e2c5e84d6a4f8629b06abe73b11a809cca\r\nC2 for the orders: since[.]qpoe[.]com\r\nC2 for rollback: applejp[.]myfw[.]us\r\nC2 URL for reconnaissance: hxxp://fund[.]cmc[.]or[.]kr/UploadFile/fame/x/o0.asp\r\n2012 May \u0026 December: l miss services\r\nIn May and December 2012, the developers modified the .dll to come back to a Windows service.\r\nAs previously described, the hardcoded C2 for reconnaissance variable is here. Without being used.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 19 of 43\n\nSha256: b75c986cf63e0b5c201da228675da4eff53c701746853dfba6747bd287bdbb1d\r\nC2 for the orders: since[.]qpoe[.]com\r\nC2 for rollback: 69[.]197[.]149[.]98\r\nC2 URL for reconnaissance: hxxp://fund[.]cmc[.]or[.]kr/UploadFile/fame/x/o0.asp\r\nSha256: 979d4e6665ddd4c515f916ad9e9efd9eca7550290507848c52cf824dfbd72a7e\r\nC2 for the orders: usababa[.]myfw[.]us\r\nC2 for rollback: indbaba[.]myfw[.]us\r\nC2 URL for reconnaissance: hxxp://indbabababa[.]dns94[.]com/o.asp\r\n2012 October: Standalone PE\r\nIn October 2012, the attackers used an .exe. The attacker chose a standalone PE.\r\nAs previously the hard coded C2 for reconnaissance variable is here. without being used.\r\nSha256: 6f4a1b423c3936969717b1cfb25437ae8d779c095f158e3fded94aba6b6171ad\r\nC2 for the orders: mycount[.]MrsLove[.]com\r\nC2 for rollback: mycount[.]MrsLove[.]com\r\nC2 URL for reconnaissance: hxxp://fund[.]cmc[.]or[.]kr/UploadFile/fame/x/o0.asp\r\n2013: RIP  \r\nWe did not identify any Bisonal samples used in 2013. The first explanation could be that it was\r\nused so much that it stays under our radar. The second explanation could be a publication from\r\nTrend Micro on January 3, 2013. In the publication, the editor described a campaign where\r\nBisonal was used. Maybe the actor decided to stop using Bisonal?\r\n2014: The rebirth\r\nPacker\r\nFor the first time, the Bisonal developers decided to use a packer: MPRESS. The Bisonal string also\r\ndisappears from the binary however the workflow of the malware stays the same and some features are\r\ncopy/pasted from the previous Bisonal variant.\r\nObfuscation\r\nThe domain and the port number are obfuscated but it is not a simple XOR anymore. The developers\r\nimplemented its own byte manipulation algorithm. The developer also implemented an obfuscation\r\nconcerning OS detection. The OS version string is not stored as a string anymore but as bytes:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 20 of 43\n\nIt is interesting to note that a few samples from 2014 do not use the obfuscation described above.\r\nMalware core\r\nThe developer rewrote a large part of the code however the workflow is the same as previously and some\r\nfeatures are copy/paste. The binary is compiled with the MFC framework.\r\nThe biggest change is the network communication with the C2 server. The malware does not use a raw socket\r\nanymore but all the communications are performed with WinInet. The malware performs connection to the C2\r\nserver by using InternetOpenA() with an hardcoded User-Agent: \"Mozilla/4.0 (compatible; MSIE 6.0; Windows\r\nNT 5.0; .NET CLR 1.1.4322\". Note the missing parenthesis at the end of the User-Agent. This typo will be there\r\ntill today.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 21 of 43\n\nThis variant has exactly the same features as the previous variant: file listing, OS version getting, process killing,\r\ndrive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading.\r\nHere is an example of code similarities on the execution via named pipe function. On the left a sample from\r\nBisonal 2014 and on the right Bisonal 2011. The code is not exactly the same but the workflow and some\r\nconstants are similar.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 22 of 43\n\nHard-coded Identifiers \u0026 URL pattern\r\nIn this new version, we identify three hard-coded identifiers:\r\nCampaign ID: an ID put in the exfiltrated data with the hostname and the OS version. We assume this ID is\r\nused to identify the campaign and the target by the operator;\r\nMalware ID: used to generate the first \"word\" of the URL. We assume this ID is used to identify the\r\nmalware version (from a network protocol point of view);\r\nThird ID: used to generate the end \"word\" of the URL. It generally looks like a file name.\r\nThe URL pattern is the following: hxxp://C2_domain:PORT/MalwareIDVictimIPThirdID\r\nSHA256: c6baef8fe63e673f1bd509a0f695c3b5b02ff7cfe897900e7167ebab66f304ca\r\nC2 URL: hxxp://www[.]hosting[.]tempors[.]com:443/av9d0.0.0.0akspbv.txt\r\n2016: More packers\r\nIn 2016, the developer implemented a new way of packing Bisonal. An initial static analysis\r\nimmediately shows an executable with very little information. IDA Pro only shows five functions\r\nand almost no imports.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 23 of 43\n\nLooking at the few functions available it becomes clear the packer uses several anti-analysis tricks. In the\r\nunpacking stage, the malware has a lot of useless jumps and calls which makes the code tracking in the debugger\r\nharder.\r\nAfter the unpacking is done the malware continued to use several anti-analysis measures. There are almost no\r\ndirect calls to functions. It is common during the unpacking process to find useless code, like sequences of one\r\ninstruction followed by a jump or increments in register values almost immediately followed by decrements. The\r\ninitial unpacking is based on the manipulation of the return addresses pushed in the stack and the ordering of the\r\ndata within the .text section. A second stage will allocate memory and unpack code into it, which finally will\r\nunpack code into a section that is originally empty called .textbss. This is where the core of the malware will be.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 24 of 43\n\nAll API calls are made through a dispatcher function. Which is not called directly either, before this function is\r\ncalled it goes through a series of jumps and the stack is filled with encoded offset values.\r\nThe call of the jump table entry:\r\nPush parameter for dispatch function into the stack:\r\nPush all general-purpose registers into the stack:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 25 of 43\n\nBefore calling the actual dispatch function, all registers are saved to the stack, by doing this the offset value is no\r\nlonger on the top of the stack so the malware needs to put it back on the top of the stack.\r\nAt this time and just before the argument in the stack we also have the return address, inside the core of the\r\nmalware. The dispatcher function will push the desired API function address into the stack. Afterward, it will do\r\nthe same for the general-purpose registers.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 26 of 43\n\nAfter calling the dispatcher function the malware will first restore the generic purpose registers from the stack,\r\nthus leaving the API function address at the top of the stack. Logically, after the ret instruction is executed the\r\ncode will jump into the API function.\r\nThis mechanism allows the malware to execute API functions without ever using the Call instruction, making it\r\ndifficult to perform the analysis. The other side effect is that even after the code is unpacked if the analyst tries to\r\ndump it and analyze it statically, it will be hard for the disassembler to understand the code.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 27 of 43\n\nThe dispatcher function has other tricks up its sleeve. Every time it is called it will use the anti-debug\r\nGetTickCount() to check if it is being debugged. If there is a discrepancy in the timing it will terminate the\r\nprocess. The termination can be as simple as a call to ExitProcess(), or it will first resume a thread that will\r\ndisplay a message to the user. So that it ensures the thread has a chance to run, it will return the API call sleep() no\r\nmatter what was originally requested. Once sleep() is executed, the error message thread will have a chance to be\r\nexecuted and will terminate the process.\r\nFrom the functionality point of view, there aren't many differences between the 2014 versions. Always using three\r\nhard-coded identifiers mentioned previously but with different values.\r\nSHA256: 15d5c84db1fc7e13c03ff1c103f652fbced5d1831c4d98aad8694c08817044cc\r\nC2 URL: hxxp://emsit[.]serveirc[.]com/ks8d0.0.0.0akspbu.txt\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 28 of 43\n\n2018: I miss you\r\nDuring 2018, the attackers used a mix of samples using the MFC framework or the Visual C\r\nlibraries. The registry key used for the persistence is now named \"mismyou\".\r\nIn September 2018, the developer made a mistake. Normally on this variant of Bisonal the domain names are\r\nencoded. However, the developer forgot to obfuscate the strings and put them in clear text into the variables but\r\nthe deobfuscation function is still executed:\r\nThe mistake has for effect to destroy the domain and generate garbage strings. The malware will try to perfect\r\nconnection to this bad domain (hxxp://硟满v鐿緲赥e ?r雀溝1kdi簽:70/ks8d0.0.0.0akspbu.txt). You can see here a\r\nscreenshot of the debugger trying to perform a connect on it:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 29 of 43\n\nSHA256: 92be1bc11d7403a5e9ad029ef48de36bcff9c6a069eb44b88b12f1efc773c504\r\nC2: kted56erhg[.]dynssl[.]com\r\nSHA256: d83fbe8a15d318b64b4e7713a32912f8cbc7efbfae84449916a0cbc5682a7516\r\nC2 fail: hxxp://硟满v鐿緲赥e ?r雀溝1kdi簽:70/ks8d0.0.0.0akspbu.txt\r\n2019 - Office Extension and a new packer\r\nPacker\r\nStatic analysis of this executable shows only two functions, but a regular number of imports. This time the\r\npacker shares some of the characteristics from the advanced one used in 2016.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 30 of 43\n\nThere is a lot of useless code, including jumps and bswap operations. Upon detecting a debugger attached to it, the\r\nmalware will display the message below and terminate the execution.\r\nThis message translates to \"The debugger was found to be running in your operating system. This turns it off\r\nbefore running the program again!\".\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 31 of 43\n\nThis packer also hides the calls to API functions. This time instead of using a dispatcher function, the malware\r\npushes the arguments into the stack as usual but will then perform a call to a jump table built during the\r\nunpacking, in the .text section memory region.\r\nEven though a call is made, these are not functions, in fact, most of the code in this jump table is useless except\r\nfor the last instruction of each entry. Each entry finishes with a jmp instruction into the respective API function.\r\nEffectively the malware doesn't do any call to API functions, it always performs a jump. The return address is\r\nloaded into the stack when the malware does a call to the jump table. The end result is the same has in the packer\r\nfrom 2016, but with a simpler mechanism.\r\nThe majority of the code was moved into a packed area. The malware configuration (such as C2 server and the\r\nUser-Agent) is outside that area. The packer uses a thread-local storage (TLS) callback to unpack some of the\r\ncode. At this stage, it uses in-place unpacking avoiding memory allocations. One of the anti-analysis features\r\nincluded in this packer is the lack of calls to API functions. In the early stages of execution, the malware loads the\r\nlibraries and retrieves the addresses from functions it needs.\r\nFeature-wise, there is no change when compared with the 2016 version, in fact when compared the C2 beaconing\r\nfunctions even share some of the offsets.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 32 of 43\n\nOffice Extension\r\nIn 2019, the actor behind Bisonal used a new way to deploy the machine on the target's systems. They sent a\r\nmalicious RTF document to the targets with an exploit targeting the CVE-2018-0798 (Microsoft's Equation\r\nEditor vulnerability). The purpose of the shellcode was not to execute the malware (as it is usual) but simply\r\nto drop it in the %APPDATA%\\microsoft\\word\\startup\\ repository with the .wll extension.\r\nThe libraries in this directory with this specific extension will be loaded as a Microsoft Office extension. So next\r\ntime the user opens an Office application, the malware will be loaded and executed. The purpose of the malware is\r\nto deploy Bisonal on the infected system ($tmp$\\tmplogon.exe) and to create a Run registry key in order to\r\nexecute Bisonal at the next reboot of the system.\r\nWe think the purpose of this multistage execution is an anti sandbox technique. If you look at the report after\r\nexecuting the malicious document, you only see one action: the .wll file creation. The user also needs to open an\r\nOffice application and finally a reboot is needed in order to execute the real payload: Bisonal.\r\nBigger is better\r\nWe identified a version of Bisonal using Office extension with a really specific behavior during the\r\ninstallation of the malicious payload. The dropper appends 80MB of binary data at the end of the Bisonal\r\nbinary:\r\nThe binary value is \"56MM\" is ASCII characters. If we look at the malware, we can see the appended data:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 33 of 43\n\nWe are not sure of the purpose of the creation of a huge binary. It could be an anti-analysis technique. Some tools\r\nlimit the size of the analyzed files. For example, by using the VirusTotal standard API, we cannot upload files\r\nbigger than 32MB. We also identified sandboxes that cannot handle big files correctly. Remember, size matters.\r\nMalware code\r\nThe developer partially refactored the code. The variant from 2019 keeps exactly the same features. The\r\ntwo main changes are the obfuscation and the network protocol to communicate to the C2 server.\r\nThe developers used two different obfuscation algorithms: one for the C2 encoding and one for the data. The C2\r\nencoding is a simple XOR (as in 2012):\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 34 of 43\n\nThe C2 encoding communication is also different. As the data are now sent with the GET method, the data must\r\nbe in ASCII. That's they add base64 encoding in order to get supported characters in the HTTP query.\r\nFor the first time, the developer switched from POST requests to GET requests:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 35 of 43\n\nThe exfiltrated data is appended to the URL. Here is the pattern:\r\nhxxp://C2_domain/MalwareIDVictimIPThirdIDExfiltratedDataBase64\r\nSHA256:37d1bd82527d50df3246f12b931c69c2b9e978b593a64e89d16bfe0eb54645b0\r\nC2 URL:hxxp://www[.]amanser951[.]otzo[.]com/uiho0.0.0.0edrftg.txt\r\n2020 Business as Usual\r\nAhnlab, a South Korean software company, simultaneously published a paper regarding Bisonal's\r\nactivity in South Korea. In this case, the infection vector has changed from previous samples. The\r\ninitial stage is a binary that drops a decoy document (Powerpoint or Excel document), a\r\nVisualBasic script and the packed Bisonal payload. The payload is dropped with a .jpg extension\r\nthat's been renamed to \".exe.\" Here is an example decoy document:\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 36 of 43\n\nThe purpose of the VisualBasic script is to execute the payload. Similar to attacks in 2019, the attacker appends\r\ndata in order to generate a large binary. Although the malicious part of the binary is only 2MB, the final file is\r\nmore than 120MB in size, padded out with random data. This may be an attempt to evade antivirus engines that\r\nonly scan up to a maximum file size. The payload has been packed with a new packer.\r\nThe code of Bisonal is similar to the version of 2019. The attacker implements indirect API calls by using\r\nGetProcAddress() and LoadLibrary() API.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 37 of 43\n\nSha256: b7ef3ec4d9b0fd29c86c9a4b2a94819a80c83e44cdc47a9091786d839be6a7c4\r\nC2: imbc[.]onthewifi[.]com\r\nBisonal timelines summary\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 38 of 43\n\nConclusion\r\nThe actor behind Bisonal is clearly motivated and has an interest in Russian,\r\nKorean and Japanese victims. The development of Bisonal has been active for\r\nmore than a decade. We have observed the code evolving with the different\r\npublications but also with the evolution of Microsoft Windows.\r\nHowever, specific functions are still used today, many years after the original implementation of the Bional\r\nmalware. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting\r\nsensitive entities in both the public and private sectors. Some campaigns were even mentioned on mainstream\r\nmedia against military entities within the mentioned regions.\r\nDuring the decade of activities, we also can see mistakes and rollbacks from the attackers. For example, in one\r\ncampaign they put the domain name of the C2 server in plaintext in the malware which had the function to\r\ngenerate a non-ASCII string for the C2 servers once decoded. In this condition, the malware cannot work on the\r\ncompromised system. Even after so many years of activities, the attackers make mistakes.\r\nWe don't see any reason why this actor will stop in the near future. With this investigation and the analysis of this\r\ndecade of activity, we hope to force this actor to innovate by providing a better understanding of his arsenal and\r\nmore specifically how Bisonal works.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 39 of 43\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, andMeraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nOSQuery\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click below:\r\nBisonal File Path Detected\r\nBisonal Registry Detected\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 40 of 43\n\nSHA256:\r\n0cf9d9e01184d22d54a3f9b6ef6c290105eaa32c7063355ca477d94b130976af\r\n7dc58ff4389301a6eccc37098682742b96e5171d908acdeb62aeaa787496c80a\r\n0ff88a6cd7dcd27f14ebb7b2c97727b81e1aa701280d1164685c52c234e4a9df\r\n8252f2cdedf16f404d43c81d005ea8ebb10594477f738e40efacf9013e1470d2\r\n915ad316cfd48755a9e429dd5aacbee266aca9c454e9cf9507c81b30cc4222e5\r\n1128d10347dd602ecd3228faa389add11415bf6936e2328101311264547afa75\r\n92be1bc11d7403a5e9ad029ef48de36bcff9c6a069eb44b88b12f1efc773c504\r\n15d5c84db1fc7e13c03ff1c103f652fbced5d1831c4d98aad8694c08817044cc\r\n9638e7bb963ac881bd81071d305dea91b040536c55b7ee79b526b8afcfad6972\r\n1e66579b856cd331518d67c351bcb2b102399d8ade53370797228b289e905dc1\r\n979d4e6665ddd4c515f916ad9e9efd9eca7550290507848c52cf824dfbd72a7e\r\n22b3a86f91d2eb5a8a1e1cdc044bcf6aca898663071be5233bac00c0f0d3c001\r\n9c86c2dd001c47b933c6b5f43c8f87a6d0c01c066e3520e651fab51d19355d3c\r\n2c1e0facf563bb2054d9a883144ef9bad77ba75cdb46cc80843821c363c0a9dc\r\na4a5c60a392d236b76907f58597e83ba9c9d4cfc6a4502ef3e0e149b8710a0c6\r\n359835c4a9dbe2d95e483464659744409e877cb6f5d791daa33fd601a01376fc\r\nb1da7e1963dc09c325ba3ea2442a54afea02929ec26477a1b120ae44368082f8\r\n37d1bd82527d50df3246f12b931c69c2b9e978b593a64e89d16bfe0eb54645b0\r\nb75c986cf63e0b5c201da228675da4eff53c701746853dfba6747bd287bdbb1d\r\n43459f5117bee7b49f2cee7ce934471e01fb2aa2856f230943460e14e19183a6\r\nb85e4168972b28758984f919aef2ce0fde271ee1f0863510e521a2920fcc658e\r\n43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280\r\nbd1a9b148580dad430683639b747d1c49932db5d8f6eb2d90e2583af976810dc\r\n436fc9530015c2d2b952a16d2a3dfa202d1cb1c577b580811b9b48355855591b\r\nc5496dc3fa96b657ab4467c551877bbced56fd07c00c7ccb199c1794235bf710\r\n444e864a3bb2abb1edccab4a5cd45bc0039f2a48e01615b2719da65a40a5140e\r\nc6baef8fe63e673f1bd509a0f695c3b5b02ff7cfe897900e7167ebab66f304ca\r\ncdba1a69d75f3e2256dccc16255aef07ded41c257b2cc95ccb801a0063445926\r\n5caada5737b0a6c8c8f8a27bfcd0fb2221af68a4856278c3919b37279daa7409\r\nd19b85891dd0f83808b70fbe68a56a64e828611dfe53d04a6c1c211f1352b5b5\r\n6676934d7f214cb256407400357c1f7ead69a523b3017f6a5bc30d06a11a8305\r\nd7692a71b85c869ee11647b80ea6d42b2e4303233c525a8fa7e6bec3599e2c8b\r\n67e286c7308dda5cd8fe4a1340f354927e5791ce6ef0ef02c93a4e063e11c4ad\r\nd83fbe8a15d318b64b4e7713a32912f8cbc7efbfae84449916a0cbc5682a7516\r\n6c714653a8fa54eef1de2f0148e5e8cf514907f6f523bf09c8ee126bebcdbdcc\r\ndd88b31275b7079899d945fc6de2dceaf7e8fc143ef24be5bb336585ddf6af1e\r\n6cc4707942f9323347c95066a43b30f874f1b1c783960cf8ed9ecf5914f85ba7\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 41 of 43\n\neb7681c653ef1942103cd3272fd124eaf73e79bb830be978535c18b73c87b985\r\n6ef4df8460ba57b836f52a9a73e2d739a3f2aa832bec6b663af53b55dc74a63d\r\neffd31b11bdc6486082967c2d8e53d979e59a88ba28e68a1c94f5a064a8a966d\r\n6f4a1b423c3936969717b1cfb25437ae8d779c095f158e3fded94aba6b6171ad\r\n6f8bbea18965b21dc8b9163a5d5205e2c5e84d6a4f8629b06abe73b11a809cca\r\nf3a30e5f8bfd0f936597bcef7cb43df11ec566467001dff9365771900e90acb1\r\n77a36530555eada268238050996839bd34670e8bfda477c30d9dd66574625f59\r\nf9302b7ecc32b891edeaf61353dc5e976832b7104ec0d36f1641f1f40cf6fe12\r\n799d858ff77c29684fc1522804ed45c24171484d9618211c817df01424bc981a\r\n23d263b6f55ac81f64c3c3cf628dd169d745e0f2b264581305f2f46efc879587\r\n72f6a54d0d09a16e6fde9800aa845cd1866001538afb2c8f61f3606f5e13f35a\r\n4bad5898373eb644662a8c1d5d5c674e2558908e34bb2fd915f3350b0f28752b\r\nb7ef3ec4d9b0fd29c86c9a4b2a94819a80c83e44cdc47a9091786d839be6a7c4\r\nC2 servers:\r\n0906[.]toh[.]info\r\ndnsdns1[.]PassAs[.]us\r\neuiro8966[.]organiccrap[.]com\r\njennifer998[.]lookin[.]at\r\nkfsinfo[.]ByInter[.]net\r\nkted56erhg[.]dynssl[.]com\r\nmycount[.]MrsLove[.]com\r\nsince[.]qpoe[.]com\r\nusababa[.]myfw[.]us\r\nv3net[.]rr[.]nu\r\nwww[.]amanser951[.]otzo[.]com\r\nwww[.]amanser951.otzo[.]com\r\n137[.]170[.]185[.]211\r\n196[.]44[.]49[.]154\r\n21kmg[.]my-homeip[.]net\r\n61[.]90[.]202[.]197\r\n61[.]90[.]202[.]198\r\n69[.]197[.]149[.]98\r\nagent[.]my-homeip[.]net\r\napplejp[.]myfw[.]us\r\ndnsdns1[.]PassAs[.]us\r\nemsit[.]serveirc[.]com\r\netude[.]servemp3[.]com\r\neuiro8966[.]organiccrap[.]com\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 42 of 43\n\nfaceto[.]UglyAs[.]com\r\ngames[.]my-homeip[.]com\r\nhansun[.]serveblog[.]net\r\nhxxp://硟满v鐿緲赥e ?r雀溝1kdi簽:70/ks8d0.0.0.0akspbu.txt\r\nindbaba[.]myfw[.]us\r\nkazama[.]myfw[.]us\r\nkreng[.]bounceme[.]net\r\nkted56erhg[.]dynssl[.]com\r\nmycount[.]MrsLove[.]com\r\nnavego[.]serveblog[.]net\r\nshinkhek[.]myfw[.]us\r\nwew[.]mymom[.]info\r\nwww[.]hosting[.]tempors[.]com\r\nwww[.]nayana[.]adultdns[.]net\r\nwww[.]dds.walshdavis[.]com\r\nimbc[.]onthewifi[.]com\r\nSource: https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nhttps://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html\r\nPage 43 of 43\n\n\"exit\\r\\b\" string Another interesting to the executed command change is the in order fact they don't to exit properly: use CHCP command anymore to force the charset but use code\npage. You can see in the screenshot 0x4E3 (1251 -Cyrillic Russian) and 0x362 (866-DOS Cyrillic Russian):\n Page 15 of 43", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" ], "report_names": [ "bisonal-10-years-of-play.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434813, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c937bbd9eef86780cbacc655ca028a992018d91a.pdf", "text": "https://archive.orkl.eu/c937bbd9eef86780cbacc655ca028a992018d91a.txt", "img": "https://archive.orkl.eu/c937bbd9eef86780cbacc655ca028a992018d91a.jpg" } }