Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Bankshot

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018,Lazarus Group used theBankshot implant in attacks against the Turkish financial sector.[1]

ID: S0239
Associated Software: Trojan Manuscript
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 17 October 2018
Last Modified: 22 October 2025

Associated Software Descriptions

NameDescription
Trojan Manuscript

[1]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1134.002Access Token Manipulation:Create Process with Token

Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.[1]

EnterpriseT1087.001Account Discovery:Local Account

Bankshot gathers domain and account names/information through process monitoring.[1]

.002Account Discovery:Domain Account

Bankshot gathers domain and account names/information through process monitoring.[1]

EnterpriseT1071.001Application Layer Protocol:Web Protocols

Bankshot uses HTTP for command and control communication.[1]

EnterpriseT1119Automated Collection

Bankshot recursively generates a list of files within a directory and sends them back to the control server.[1]

EnterpriseT1059.003Command and Scripting Interpreter:Windows Command Shell

Bankshot uses the command-line interface to execute arbitrary commands.[1][2]

EnterpriseT1543.003Create or Modify System Process:Windows Service

Bankshot can terminate a specific process by its process id.[1][2]

EnterpriseT1132.002Data Encoding:Non-Standard Encoding

Bankshot encodes commands from the control server using a range of characters and gzip.[1]

EnterpriseT1005Data from Local System

Bankshot collects files from the local system.[1]

EnterpriseT1001.003Data Obfuscation:Protocol or Service Impersonation

Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.[3]

EnterpriseT1140Deobfuscate/Decode Files or Information

Bankshot decodes embedded XOR strings.[2]

EnterpriseT1041Exfiltration Over C2 Channel

Bankshot exfiltrates data over its C2 channel.[1]

EnterpriseT1203Exploitation for Client Execution

Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.[1]

EnterpriseT1083File and Directory Discovery

Bankshot searches for files on the victim's machine.[2]

EnterpriseT1070Indicator Removal

Bankshot deletes all artifacts associated with the malware from the infected machine.[2]

.004File Deletion

Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[1]

.006Timestomp

Bankshot modifies the time of a file as specified by the control server.[1]

EnterpriseT1105Ingress Tool Transfer

Bankshot uploads files and secondary payloads to the victim's machine.[2]

EnterpriseT1680Local Storage Discovery

Bankshot gathers disk type and disk free space.[1][2]

EnterpriseT1112Modify Registry

Bankshot writes data into the Registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.[2]

EnterpriseT1106Native API

Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[1]

EnterpriseT1571Non-Standard Port

Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[2]

EnterpriseT1057Process Discovery

Bankshot identifies processes and collects the process ids.[1]

EnterpriseT1012Query Registry

Bankshot searches for certain Registry keys to be configured before executing the payload.[2]

EnterpriseT1082System Information Discovery

Bankshot gathers system information, network addresses, and the operation system version.[1][2]

Groups That Use This Software

IDNameReferences
G0032Lazarus Group

[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp