Group description: BRONZE BUTLER

BRONZE BUTLER, REDBALDKNIGHT, Tick, Group G0060 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups BRONZE BUTLER BRONZE BUTLER BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. [1] [2] [3] ID: G0060 ⓘ Associated Groups : REDBALDKNIGHT, Tick Contributors : Trend Micro Incorporated Version : 1.3 Created: 16 January 2018 Last Modified: 25 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description REDBALDKNIGHT [1] [3] Tick [1] [4] [3] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1548 .002 Abuse Elevation Control Mechanism : Bypass User Account Control BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation. [2] [3] Enterprise T1087 .002 Account Discovery : Domain Account BRONZE BUTLER has used net user /domain to identify account information. [2] Enterprise T1071 .001 Application Layer Protocol : Web Protocols BRONZE BUTLER malware has used HTTP for C2. [2] Enterprise T1560 .001 Archive Collected Data : Archive via Utility BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration. [2] [3] Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence. [2] Enterprise T1059 .001 Command and Scripting Interpreter : PowerShell BRONZE BUTLER has used PowerShell for execution. [2] .003 Command and Scripting Interpreter : Windows Command Shell BRONZE BUTLER has used batch scripts and the command-line interface for execution. [2] .005 Command and Scripting Interpreter : Visual Basic BRONZE BUTLER has used VBS and VBE scripts for execution. [2] [3] .006 Command and Scripting Interpreter : Python BRONZE BUTLER has made use of Python-based remote access tools. [3] Enterprise T1132 .001 Data Encoding : Standard Encoding Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server. [2] Enterprise T1005 Data from Local System BRONZE BUTLER has exfiltrated files stolen from local systems. [2] Enterprise T1039 Data from Network Shared Drive BRONZE BUTLER has exfiltrated files stolen from file shares. [2] Enterprise T1140 Deobfuscate/Decode Files or Information BRONZE BUTLER downloads encoded payloads and decodes them on the victim. [2] Enterprise T1189 Drive-by Compromise BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks. [4] Enterprise T1573 .001 Encrypted Channel : Symmetric Cryptography BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server. [2] Enterprise T1203 Exploitation for Client Execution BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution. [4] [3] Enterprise T1083 File and Directory Discovery BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal. [2] Enterprise T1574 .001 Hijack Execution Flow : DLL BRONZE BUTLER has used legitimate applications to side-load malicious DLLs. [3] Enterprise T1562 .001 Impair Defenses : Disable or Modify Tools BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes. [3] Enterprise T1070 .004 Indicator Removal : File Deletion The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated. [2] Enterprise T1105 Ingress Tool Transfer BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget). [2] Enterprise T1036 Masquerading BRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF. [3] .002 Right-to-Left Override BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware. [3] .005 Match Legitimate Resource Name or Location BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems. [2] Enterprise T1027 .001 Obfuscated Files or Information : Binary Padding BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection. [2] [3] .003 Obfuscated Files or Information : Steganography BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads. [3] Enterprise T1588 .002 Obtain Capabilities : Tool BRONZE BUTLER has obtained and used open-source tools such as Mimikatz , gsecdump , and Windows Credential Editor . [4] Enterprise T1003 .001 OS Credential Dumping : LSASS Memory BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping. [2] Enterprise T1566 .001 Phishing : Spearphishing Attachment BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims. [4] [3] Enterprise T1018 Remote System Discovery BRONZE BUTLER typically use ping and Net to enumerate systems. [2] Enterprise T1053 .002 Scheduled Task/Job : At BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement. [2] .005 Scheduled Task/Job : Scheduled Task BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement. [2] Enterprise T1113 Screen Capture BRONZE BUTLER has used a tool to capture screenshots. [2] [3] Enterprise T1518 Software Discovery BRONZE BUTLER has used tools to enumerate software installed on an infected host. [3] Enterprise T1007 System Service Discovery BRONZE BUTLER has used TROJ_GETVERSION to discover system services. [3] Enterprise T1124 System Time Discovery BRONZE BUTLER has used net time to check the local time on a target system. [2] Enterprise T1080 Taint Shared Content BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share. [2] Enterprise T1550 .003 Use Alternate Authentication Material : Pass the Ticket BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access. [2] Enterprise T1204 .002 User Execution : Malicious File BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails. [4] [3] Enterprise T1102 .001 Web Service : Dead Drop Resolver BRONZE BUTLER 's MSGET downloader uses a dead drop resolver to access malicious payloads. [2] Software ID Name References Techniques S0469 ABK [3] Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Obfuscated Files or Information : Steganography , Process Injection , Software Discovery : Security Software Discovery S0110 at [2] Scheduled Task/Job : At S0473 Avenger [3] Application Layer Protocol : Web Protocols , Deobfuscate/Decode Files or Information , File and Directory Discovery , Ingress Tool Transfer , Local Storage Discovery , Obfuscated Files or Information : Encrypted/Encoded File , Obfuscated Files or Information : Steganography , Process Discovery , Process Injection , Software Discovery : Security Software Discovery , System Information Discovery , System Network Configuration Discovery S0470 BBK [3] Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Deobfuscate/Decode Files or Information , Ingress Tool Transfer , Native API , Obfuscated Files or Information : Steganography , Process Injection S0471 build_downer [3] Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Ingress Tool Transfer , Local Storage Discovery , Masquerading : Masquerade Task or Service , Native API , Obfuscated Files or Information : Steganography , Software Discovery : Security Software Discovery , System Time Discovery S0106 cmd [2] Command and Scripting Interpreter : Windows Command Shell , File and Directory Discovery , Indicator Removal : File Deletion , Ingress Tool Transfer , Lateral Tool Transfer , System Information Discovery S0187 Daserf [1] [4] Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Utility , Archive Collected Data , Command and Scripting Interpreter : Windows Command Shell , Data Encoding : Standard Encoding , Data Obfuscation : Steganography , Encrypted Channel : Symmetric Cryptography , Ingress Tool Transfer , Input Capture : Keylogging , Masquerading : Match Legitimate Resource Name or Location , Obfuscated Files or Information : Software Packing , Obfuscated Files or Information , Obfuscated Files or Information : Indicator Removal from Tools , OS Credential Dumping : LSASS Memory , Screen Capture , Subvert Trust Controls : Code Signing S0472 down_new [3] Application Layer Protocol : Web Protocols , Data Encoding : Standard Encoding , Encrypted Channel : Symmetric Cryptography , File and Directory Discovery , Ingress Tool Transfer , Local Storage Discovery , Process Discovery , Software Discovery : Security Software Discovery , Software Discovery , System Network Configuration Discovery S0008 gsecdump [2] [4] OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSA Secrets S0002 Mimikatz [2] [4] [3] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0039 Net [2] Account Discovery : Domain Account , Account Discovery : Local Account , Account Manipulation : Additional Local or Domain Groups , Create Account : Local Account , Create Account : Domain Account , Indicator Removal : Network Share Connection Removal , Network Share Discovery , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Remote Services : SMB/Windows Admin Shares , Remote System Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , System Time Discovery S0111 schtasks [2] Scheduled Task/Job : Scheduled Task S0596 ShadowPad [5] Application Layer Protocol : DNS , Application Layer Protocol : File Transfer Protocols , Application Layer Protocol : Web Protocols , Data Encoding : Non-Standard Encoding , Deobfuscate/Decode Files or Information , Dynamic Resolution : Domain Generation Algorithms , Indicator Removal , Ingress Tool Transfer , Local Storage Discovery , Modify Registry , Non-Application Layer Protocol , Obfuscated Files or Information : Fileless Storage , Obfuscated Files or Information , Process Discovery , Process Injection , Process Injection : Dynamic-link Library Injection , Scheduled Transfer , System Information Discovery , System Network Configuration Discovery , System Owner/User Discovery , System Time Discovery S0005 Windows Credential Editor [2] [4] OS Credential Dumping : LSASS Memory References Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021. × load more results