BRONZE BUTLER | APT Profile

Description

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

Techniques Used (TTPs)

T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1005 — Data from Local System (collection)
T1007 — System Service Discovery (discovery)
T1070.004 — File Deletion (defense-evasion)
T1059.006 — Python (execution)
T1566.001 — Spearphishing Attachment (initial-access)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1113 — Screen Capture (collection)
T1036 — Masquerading (defense-evasion)
T1588.002 — Tool (resource-development)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1059.005 — Visual Basic (execution)
T1132.001 — Standard Encoding (command-and-control)
T1518 — Software Discovery (discovery)
T1071.001 — Web Protocols (command-and-control)
T1039 — Data from Network Shared Drive (collection)
T1124 — System Time Discovery (discovery)
T1189 — Drive-by Compromise (initial-access)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1003.001 — LSASS Memory (credential-access)
T1203 — Exploitation for Client Execution (execution)
T1018 — Remote System Discovery (discovery)
T1560.001 — Archive via Utility (collection)
T1053.002 — At (execution, persistence, privilege-escalation)
T1102.001 — Dead Drop Resolver (command-and-control)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1080 — Taint Shared Content (lateral-movement)
T1204.002 — Malicious File (execution)
T1027.001 — Binary Padding (defense-evasion)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1059.001 — PowerShell (execution)
T1059.003 — Windows Command Shell (execution)
T1105 — Ingress Tool Transfer (command-and-control)
T1550.003 — Pass the Ticket (defense-evasion, lateral-movement)
T1573.001 — Symmetric Cryptography (command-and-control)
T1027.003 — Steganography (defense-evasion)
T1087.002 — Domain Account (discovery)
T1083 — File and Directory Discovery (discovery)
T1036.002 — Right-to-Left Override (defense-evasion)

Total TTPs: 40

Malware & Tools

Malware: ABK, Avenger, BBK, Daserf, ShadowPad, build_downer, down_new

Tools: Mimikatz, Net, Windows Credential Editor, at, cmd, gsecdump, schtasks

← Return to Home ← Back to APT Search