Tuesday, July 16, 2024

Bisonal Malware Launching Via Malicious PDF to Attack Government, Military or Defense Industries

The new version of Bisonal Malware is discovered that it is carried by Weaponized PDF Icon that mainly targeting the organizations related to government, military or defense industries.

This malware campaign mainly used in an attack against various countries since 2014, at this time malware authors, are updating various future in the new version of Bisonal Malware.

Researchers identified 2 primary difference between the old version of Bisonal malware and the new version that includes  C2 communication, code rewritten and the malware authors added a lot of evasion techniques to maintain the persistence.

Currently distributing malware campaign mainly focus on Russia and South Korea which contain some of the common attacks compare with the old version.

  • Usually targeting organizations related to government, military or defense industries in South Korea, Russia, and Japan.
  • In some cases, the use of Dynamic DNS (DDNS) for C2 servers.
  • The use of a target or campaign code with its C2 to track victim or attack campaign connections.
  • Disguising the Bisonal malware as a PDF, Microsoft Office Document or Excel file.
  • The use of a decoy file in addition to the malicious PE file
  • In some cases, code to handle Cyrillic characters on Russian-language operating systems.

Bisonal Malware Attack Targets

Here we can see one of the examples Bisonal module which is a targeted attack against Russian based organization that belongs to communication security services, telecommunication systems and defense using spear-phishing emails.

Email body contains some information for defense workers along with attached PDF document that contains an executable file.

Once the Weaponized PDF that contains malicious executable attachment is opened, the main payload is dropped in the victim machine and displays a decoy file to the victim.

Malware disguised as PDF

Dropped Decoy file belongs to Bisonal Malware Family and it hides the encrypted Bisonal DLL file and non-malicious decoy file at the end of the body.

Bisonal malware main module using a different cipher for C2 communication using the same key since 201, also a large part of the code has been re-written.

Later Bisonal variant send  HTTP POST request to the C2 server and share the IP address of the compromised machine.

According to paloalto networks, Another sign of the infection is the data being sent to the C2 server during the initial connection. Every time this variant of Bisonal communicates with its C2, it sends a unique id number and backdoor command in the first eight bytes.

Soon after receiving the initial beacon from the victim infected with Bisonal, the C2 replies with a session id number and backdoor command.

Based on the commands compromised system will reply to the C&C server along with following backdoor command.

0x000000C8gets system info
0x000000C9gets running process list
0x000000CAterminates process
0x000000CBaccesses cmd shell
0x000000CDdownloads file
0x000000CFexecutes file
0x000000D1creates file

Likewise, the targets are military or defense industry in particular countries such as South Korea, Japan, India and Russia and the researchers believe that there is a group behind this massive attack and investigation is still going on.


Dropper SHA256:



Bisonal SHA256:





Also Read

Iranian Hacker Group Launch APT Attack on Government Organizations To Steal Email Data, Files & Credentials

Beware of Fake Banking Malware Apps in Google Play That Steals Credit Card Details and Internet Banking Credentials

Hackers Distributing FELIXROOT Backdoor Malware using Microsoft Office Vulnerabilities


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles