1. Home
  2. Software
  3. BONDUPDATER

BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

ID: S0360
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 18 February 2019
Last Modified: 09 February 2021
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BONDUPDATER is written in PowerShell.[1][2]
.003 Command and Scripting Interpreter: Windows Command Shell

BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[2]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

BONDUPDATER uses a DGA to communicate with command and control servers.[1]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.[1]
Enterprise T1105 Ingress Tool Transfer

BONDUPDATER can download or upload files from its C2 server.[2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BONDUPDATER persists using a scheduled task that executes every minute.[2]

Groups That Use This Software

ID Name References
G0049 OilRig

[1] [2]

References

  1. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  1. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.