BBSRAT
BBSRAT is a threatening application that is meant to provide remote attackers with access to a compromised machine. They would gain the ability to execute remote commands and code, as well as to deploy additional malware onto the infected system. Furthermore, BBSRAT may use automated scripts to collect information about the system's hardware and software configuration, network settings and folder structure. BBSRAT is a very flexible project whose authors could use it for a wide variety of tasks related to data theft, espionage or destruction of valuable data.
The usage of the BBSRAT has not been attributed to a specific threat actor, and the group behind it is referred to as 'Roaming Tiger' – it is not clear what are the goals and motivations of the attackers, nor is it clear where the attackers originate from. The targets of the BBSRAT appear to be mostly Russian-speaking countries, and the first attacks in 2015-2016 were executed with the use of spear-phishing emails written in Russian almost exclusively.
BBSRAT is Deployed by Exploiting an Old Microsoft Office Vulnerability
The attackers took advantage of several vulnerabilities found in older versions of popular office software – CVE-2012-0158 appeared to be the most regularly used one. The file attachment was usually a '.doc' file that would display a prompt asking the users to 'Enable Content' by telling them that this should be confirmed to view the document's contents. If the user fell for the social engineering trick, a decoy document would be spawned, and a corrupted macro script exploiting the CVE-2012-0158 vulnerability would be executed in the background.
BBSRAT gains persistence by adding an auto startup entry to the Windows Registry. Once active, the implant would be able to execute commands received by the attacker's control server:
- Execute remote commands and transfer the response to the control server.
- Uninstall the implant and wipe out all files linked to its activity.
- List running processes and terminate specific ones.
- Receive directory structure and a list of files.
- Read, edit or delete files.
- Upload more files from the control server.
These are just some of BBSRAT's features that were employed in the attacks that took place between 2015-2016. It is possible that the implant might have undergone significant updates since then, and recent variants of the BBSRAT are likely to pack even more nefarious features. It is recommended to keep your network secure from BBSRAT and similar threats by applying the latest updates to all software, as well as by relying on an up-to-date anti-virus service.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.