The BBSRAT threat is a Remote Access Trojan, which has a variety of useful features. This threat allows its operators to gain remote access to the infiltrated system and provides them with the ability to plant additional payloads on the host. The operators of the BBSRAT would be able to execute remote commands, as well as code on the breached computer. BBSRAT also collects data regarding the software, hardware, and configuration of the infected host. The BBSRAT malware can be used for a variety of nefarious purposes, including data destruction, reconnaissance, and others.

It would appear that the developers of the BBSRAT threat call themselves 'Roaming Tiger,' but it is not clear where they originate from, or what is a motive of their malicious operations. The Roaming Tiger hacking group has likely first emerged in 2015-2016 when malware experts intercepted phishing emails written entirely in Russian. Furthermore, most of the victims of the Roaming Tiger group appear to be located in Russian-speaking states.

To carry out its attacks, the Roaming Tiger group appears to rely on certain known vulnerabilities, which can be found on outdated versions of office applications such as CVE-2012-0158. The hacking group would normally use a document file, which would spawn a prompt, that would urge the user to click on 'Enable Content.' If the user follows the instructions, they will see a decoy document file, which will keep their attention, while the corrupted script of the threat would be executed in the background via the CVE-2012-0158 vulnerability.

To gain persistence on the breached host, BBSRAT would tamper with the Windows Registry service. When BBSRAT has successfully gained persistence, it will be able to execute a list of commands provided by the C&C (Command & Control) server of the attackers. The commands include:

  • Uploading additional files from the C&C server.
  • Fetching directory structure.
  • Receiving a list of files.
  • Listing active processes.
  • Terminating certain active processes.
  • Providing the C&C with the feedback of the executed commands.
  • Executing, editing and deleting files.
  • Uninstalling the threat and wiping the traces of its activity.

Malware researchers believe that the Roaming Tiger group may have introduced updates to the BBSRAT threat as the aforementioned capabilities were employed in operations during the 2015-2016 period. Make sure your system and your network are safe from the BBSRAT by using a reputable, up-to-date anti-virus software suite.


BBSRAT may call the following URLs:


Most Viewed