SYMBOLCOMMON_NAMEaka. SYNONYMS
js.bellhop (Back to overview)

BELLHOP

Actor(s): Anunak

• BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).
After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:
• Creating a Run key in the Registry
• Creating a RunOnce key in the Registry
• Creating a persistent named scheduled task
• BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

References
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2018-10-01FireEyeKatie Nickels, Regina Elwell
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2018-08-01FireEyeBarry Vengerik, Kimberly Goody, Nick Carr, Steve Miller
On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation
BELLHOP POWERPIPE BABYMETAL SocksBot FIN7

There is no Yara-Signature yet.