BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

ID: S0360
Platforms: Windows
Version: 1.2
Created: 18 February 2019
Last Modified: 09 February 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

BONDUPDATER is written in PowerShell.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[2]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

BONDUPDATER uses a DGA to communicate with command and control servers.[1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.[1]

Enterprise T1105 Ingress Tool Transfer

BONDUPDATER can download or upload files from its C2 server.[2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BONDUPDATER persists using a scheduled task that executes every minute.[2]

Groups That Use This Software

ID Name References
G0049 OilRig

[1] [2]