Track Common Adversary Tasks Performed Using Bankshot
To know more about it, you can go through my detailed document by clicking here
Overview
Bankshot, that was first detected by Homeland Security in December 2017, is the RAT (Remote Access Tool) used by Lazarus group to infiltrate the Turkish financial sector.
Capabilities
The following are some of the tasks that Bankshot is capable of:
- It can quickly search through your files for specific information, inject code into running processes, and delete files, all of which can facilitate easy access to memory, system resources, elevated rights, etc.
- It can misuse the Windows Command Shell to move tools or other files into a compromised environment.
- With the use of obfuscated files, it can also conceal the artifacts of an incursion from any type of forensic investigation.
- It can falter the Windows services in order to execute malicious payload repeatedly to establish persistence.
- In order to repeatedly execute a malicious payload to achieve persistence, it can cause the Windows services to malfunction.
- By deciding how to route network data across systems, it can also take advantage of the connection proxy.
Prevention
The techniques listed below can assist in protecting your network from this malware:
- Monitor any known and unknown deletion tools that are not on the systems already in a business network, or monitor the Windows API calls that may signal any type of code injection, and safeguard them.
- By only inspecting the packet contents, it is possible to identify communications that don't behave according to the expected protocol behavior.
- Keep track of the files that are created and moved throughout the network.
- Identify and keep an eye out for scripts, system utilities, and service binary routes that might be acting maliciously.
- Examine the network data for any odd data flows of any kind.
To know more about it, you can go through my detailed document by clicking here
Comments
Post a Comment