Register to stream ATT&CKcon 2.0 October 29-30

BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]

ID: S0360
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe. [2]
Enterprise T1483 Domain Generation Algorithms BONDUPDATER uses a DGA to communicate with command and control servers. [1]
Enterprise T1086 PowerShell BONDUPDATER is written in PowerShell. [1] [2]
Enterprise T1105 Remote File Copy BONDUPDATER can download or upload files from its C2 server. [2]
Enterprise T1053 Scheduled Task BONDUPDATER persists using a scheduled task that executes every minute. [2]
Enterprise T1071 Standard Application Layer Protocol BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control. [2]

Groups That Use This Software

ID Name References
G0049 OilRig [1] [2]

References