Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[1]

ID: S0486
Platforms: Linux
Version: 1.0
Created: 16 July 2020
Last Modified: 10 August 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

Bonadan can create bind and reverse shells on the infected system.[1]

Enterprise T1554 Compromise Host Software Binary

Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Bonadan can XOR-encrypt C2 communications.[1]

Enterprise T1105 Ingress Tool Transfer

Bonadan can download additional modules from the C2 server.[1]

Enterprise T1057 Process Discovery

Bonadan can use the ps command to discover other cryptocurrency miners active on the system.[1]

Enterprise T1496 Resource Hijacking

Bonadan can download an additional module which has a cryptocurrency mining extension.[1]

Enterprise T1082 System Information Discovery

Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.[1]

Enterprise T1016 System Network Configuration Discovery

Bonadan can find the external IP address of the infected host.[1]

Enterprise T1033 System Owner/User Discovery

Bonadan has discovered the username of the user running the backdoor.[1]