BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.
|Enterprise||T1059||Command-Line Interface||BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.|
|Enterprise||T1483||Domain Generation Algorithms||BONDUPDATER uses a DGA to communicate with command and control servers.|
|Enterprise||T1086||PowerShell||BONDUPDATER is written in PowerShell.|
|Enterprise||T1105||Remote File Copy||BONDUPDATER can download or upload files from its C2 server.|
|Enterprise||T1053||Scheduled Task||BONDUPDATER persists using a scheduled task that executes every minute.|
|Enterprise||T1071||Standard Application Layer Protocol||BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.|
Groups that use this software:OilRig