Security researchers have spotted a new variant of the Bisonal malware being leveraged against organizations in South Korea and Russia. According to Palo Alto Network's Unit 42, the previously undocumented variant has been in the wild since at least 2014.
However, it sports a couple of changes from the original Bisonal including a different cipher and encryption for C2 communication as well as significantly rewritten code for maintaining persistence and network encryption.
In May, researchers discovered an attack campaign delivering the malware variant to a defense firm in Russia that "provides communication security services and products" and an unidentified organization in South Korea. However, they have only gathered 14 samples of the variant so far which could indicate that it isn't being widely used.
"The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents," researchers wrote in a blog post. "Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks."
According to researchers, the attackers leveraging Bisonal typically target government, military or defense-related organizations in South Korea, Japan and Russia. The malware itself usually masquerades as a PDF, Microsoft Office document or an Excel file and comes with a malicious PE file. In some cases, Dynamic DNS (DDNS) is used for C2 servers in addition to a target or campaign code to track victim or attack campaign connections. The attackers also leverage code to handle Cyrillic characters on Russian-language operations systems as well.
Researchers observed the same characteristics in the latest attack campaigns targeting South Korea and Russia.
Unit 42 observed an attack campaign targeting a Russian organization that specialized in encryption and cryptographic services and develops multiple secure communication products such as telecommunication systems and data protection facilities.
A phishing email crafted to look like it was sent by Russian state corporation Rostec was sent to the targeted firm.
"The contents of the email suggest it was sent from the legal support and corporate governance department of Rostec and includes project details aimed at improving the housing conditions of defence industry workers," researchers noted. "It is interesting to note there is a relationship between the target company and Rostec: the attackers may be trying to exploit the relationship between Rostec and the target to add an additional air of legitimacy to the attack."
Once the malicious attachment - disguised to look like a PDF document - is opened, the main payload is dropped onto the victim's system while a decoy file is displayed. The decoy PDF file featured content that match an older Russian-language article published on Rostec's website that discusses its new housing project plans and benefits to defense industry workers.
Meanwhile, the malware dropper decrypts and executes the Bisonal DLL file and creates a registry entry to execute the sample when the computer reboots. This sample uses a different cipher for C2 communication, has a large part of its code such as network communication procedures and persistence method rewritten and communicates with one of the hard-coded C2 addresses using the HTTP POST method of TCP port 443.
Meanwhile, researchers also spotted another dropper submitted to an online malware database in March that was also disguised as a PDF document that installs Bisonal and a decoy file. However, the dropper code in this sample was completely different from the Russian one, researchers said.
The decoy PDF file included a job description with the South Korean Coast Guard - the content of which was copied from a Hangul Word Processor file posted on the South Korean Coast Guard's website in March.
However, the installed EXE file was nearly identical to the DLL version of Bisonal used against the Russian firm.
Researchers said they are still investigating the connection between the two attack campaigns and older Bisonal attacks.
"The high-level TTPs of the adversary behind these Bisonal samples matches with previous Bisonal activity," researchers said. "The targets are military or defense industry in particular countries, it used DDNS for C2 servers, and tracked connections from their victims by using target or campaign codes, as well as disguising the malware as document file, and using a dropper to install the malware and decoy file. We currently believe one group is behind these attacks, and we continue to investigate".
Unit 42 have yet to name the suspected threat group behind the attacks.