BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

ID: S0360
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceBONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[2]
EnterpriseT1483Domain Generation AlgorithmsBONDUPDATER uses a DGA to communicate with command and control servers.[1]
EnterpriseT1086PowerShellBONDUPDATER is written in PowerShell.[1][2]
EnterpriseT1105Remote File CopyBONDUPDATER can download or upload files from its C2 server.[2]
EnterpriseT1053Scheduled TaskBONDUPDATER persists using a scheduled task that executes every minute.[2]
EnterpriseT1071Standard Application Layer ProtocolBONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[2]


Groups that use this software: