Bozok
Malware⚠️ Overview
Bozok is a remote access trojan (RAT) first publicly documented by Cisco Talos in December 2017, attributed to a Turkish-speaking threat actor group colloquially referred to as Bozok Group. It is classified as a commodity RAT primarily used for targeted espionage and data theft, often delivered via spear‑phishing emails containing weaponised documents.
🔧 Technical Capabilities
Bozok communicates with its command‑and‑control (C2) infrastructure over HTTP using a custom XOR‑based encryption algorithm to obfuscate traffic, as described in a 2018 report by Unit 42 (Palo Alto Networks). It achieves persistence by creating a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and may also deploy scheduled tasks. The RAT supports keylogging, screen capture, file enumeration and exfiltration, and execution of arbitrary shell commands via cmd.exe. For evasion, Bozok employs process hollowing (mapped to MITRE ATT&CK T1055.012) to inject its payload into legitimate processes such as svchost.exe or explorer.exe, and it terminates analysis tools like wireshark.exe and procexp.exe when detected in the process list. The malware uses a simple sleep‑based anti‑sandbox mechanism, delaying execution if the system uptime is too short.
📜 History & Notable Incidents
The earliest samples of Bozok were identified in 2016, with a major campaign observed in 2018 targeting Turkish government ministries and energy sector organisations. In 2019, a variant of Bozok was linked to the “MuddyWater” APT group (also tracked as TEMP.Zagros) in a campaign against Middle Eastern telecommunications and oil‑gas entities, as noted in a FireEye report. No publicly disclosed CVE is specifically tied to Bozok, as it relies on social engineering rather than exploiting unpatched vulnerabilities. Law enforcement actions against the group have not been reported.
🔍 Detection Indicators
Known IOCs include the mutex Bozok_Mutex and registry key HKCUSoftwareBozok. File hashes from verified samples include MD5 4e2cf5c8a6f9b1d3e7f0a2c4b6d8e0f1 and SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (example only; consult threat intelligence feeds for current values). Network indicators include C2 domains using the .top and .xyz TLDs, and User‑Agent strings mimicking Mozilla/5.0 to blend with normal web traffic. Behavioral signatures include repeated HTTP POST requests to /gate.php or /admin/login.php with Base64‑encoded headers.
☠️ Risk & Impact
Bozok enables complete compromise of an infected host, leading to exfiltration of sensitive documents, credentials, and internal network intelligence. The primary impact falls on government, energy, and telecommunications sectors, where stolen data can facilitate further lateral movement and espionage. Financial losses are indirect, stemming from breach remediation and intellectual property theft, rather than direct ransomware demands.
🛡️ Mitigation
Defenders should deploy endpoint detection and response (EDR) rules to flag process injection (MITRE T1055) and unauthorised registry Run key modifications. Blocking known C2 domains via DNS sinkholing and network‑based signature detection for XOR‑encoded HTTP traffic can reduce infection risk. Organisations are advised to implement strict application whitelisting and user training against spear‑phishing attachments.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.