BMANAGER (Trojan) – Malware

Overview

BMANAGER is a sophisticated piece of malware designed to perform a variety of tasks on compromised systems, making it a potent tool in the hands of cybercriminals. This malware operates by establishing a connection with a hard-coded Command and Control (C2) server, allowing it to download and execute malicious files, create and manage Windows tasks, and maintain persistence on infected machines. Its ability to interact with additional malware modules further extends its functionality, making it a versatile threat in the cybersecurity landscape.

One of the key features of BMANAGER is its capability to create and manage Windows tasks, which is crucial for maintaining persistence. By leveraging the Windows Task Scheduler, the malware can ensure that its payloads are executed every time the system boots up, making it difficult for traditional security measures to detect and remove it. The tasks created by BMANAGER are tailored to run with the highest privileges, ensuring that the malware can operate with minimal interference from the user or security software.

The malware’s communication with its C2 server is another critical aspect of its operation. BMANAGER uses HTTP(S) GET requests to send and receive commands, register the infected client, and retrieve additional payloads. This communication is carefully structured to avoid detection, with the malware selecting the most responsive C2 server from a list provided by the initial C2 contact. The GUID generated and stored by the malware ensures that each infected system can be uniquely identified and tracked by the attackers.

Targets

Information.
Individuals.

How they operate

Upon execution, BMANAGER initiates its operation by registering the infected client with a C2 server. This registration process involves generating a globally unique identifier (GUID) and storing it in a local SQL database. The malware then sends this GUID to a hard-coded C2 address via an HTTP(S) GET request. The C2 server responds with a list of additional C2 nodes, which BMANAGER evaluates based on response times to determine the optimal active C2 for further communication. The chosen C2 is then marked in the local database, and the malware proceeds to request a list of target applications.

BMANAGER’s persistence mechanism relies heavily on the creation and management of Windows scheduled tasks. It achieves this by executing commands to create tasks that trigger the execution of specific executables during system login. These tasks ensure that the malware and any additional payloads it downloads continue to run even after system reboots. The malware can also delete or modify these tasks as needed, providing flexibility in managing its presence on the infected machine.

In addition to maintaining persistence, BMANAGER is capable of downloading and executing additional malware components, such as BMREADER, BMLOG, BMHOOK, and BMBACKUP. These components enhance the malware’s capabilities, including data exfiltration, keylogging, and system monitoring. The malware retrieves these additional payloads from the active C2 server, using encoded and compressed data that is subsequently decompressed and executed on the victim’s system. Once the tasks are completed, BMANAGER reports back to the C2 with the version information, ensuring that the malware operates in sync with the latest directives from its controllers.

Overall, BMANAGER’s technical sophistication lies in its ability to maintain persistence through scheduled tasks, its dynamic communication with multiple C2 nodes, and its modular architecture that allows for the deployment of additional malicious components. This adaptability makes BMANAGER a formidable threat in the malware landscape, capable of evolving and responding to different operational requirements as directed by its C2 infrastructure.

MITRE Tactics and Techniques

Initial Access (TA0001):

Technique: Spearphishing Link (T1566.002) or Drive-by Compromise (T1189)
Description: BMANAGER could be delivered to the target system through phishing emails containing malicious links or attachments, or via compromised websites.

Execution (TA0002):

Technique: Scheduled Task/Job (T1053)
Description: BMANAGER creates Windows tasks to execute its payloads, ensuring that executables are run at specific times, such as during system login.

Persistence (TA0003):

Technique: Scheduled Task/Job (T1053.005)
Description: The malware achieves persistence by creating tasks that are triggered on user login, making sure the malware continues to execute even after system reboots.

Privilege Escalation (TA0004):

Technique: Abuse Elevation Control Mechanism: Scheduled Task (T1548.002)
Description: BMANAGER can create tasks that run with elevated privileges, allowing it to perform actions that require administrative access.

Defense Evasion (TA0005):

Technique: Obfuscated Files or Information (T1027)
Description: BMANAGER may use obfuscation techniques to avoid detection by security software, such as encoding payloads or hiding its activities within legitimate processes.

Technique: Masquerading: Match Legitimate Name or Location (T1036.005)
Description: The malware could disguise itself by using names or paths that resemble legitimate software, making it harder to detect.

Credential Access (TA0006):

Technique: Input Capture: Keylogging (T1056.001)
Description: BMANAGER includes a keylogging module (BMLOG) that captures user input, including passwords and other sensitive information, and stores it in a local database.

Discovery (TA0007):

Technique: System Information Discovery (T1082)
Description: The malware gathers information about the infected system, such as the list of running applications, which can be used to determine its next actions.

Command and Control (TA0011):

Technique: Application Layer Protocol: Web Protocols (T1071.001)
Description: BMANAGER communicates with its C2 server using HTTP(S) GET requests, enabling it to receive commands and exfiltrate data.

Technique: Fallback Channels (T1071.003)
Description: BMANAGER uses a list of C2 servers, switching to the next available server if the active one becomes unreachable.

Exfiltration (TA0010):

Technique: Exfiltration Over C2 Channel (T1041)
Description: The BMREADER module within BMANAGER exfiltrates stolen data, such as keylogs, via the established C2 communication channel.

References:

• Boolka Unveiled: From web attacks to modular malware