BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.[2] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
BONDUPDATER is written in PowerShell.[1][2] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[2] |
||
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
BONDUPDATER uses a DGA to communicate with command and control servers.[1] |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
BONDUPDATER uses |
Enterprise | T1105 | Ingress Tool Transfer |
BONDUPDATER can download or upload files from its C2 server.[2] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BONDUPDATER persists using a scheduled task that executes every minute.[2] |
ID | Name | References |
---|---|---|
G0049 | OilRig |