Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.^[1]

ID: S0486

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux

Version: 1.0

Created: 16 July 2020

Last Modified: 10 August 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059		Command and Scripting Interpreter	Bonadan can create bind and reverse shells on the infected system.^[1]
Enterprise	T1554		Compromise Client Software Binary	Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Bonadan can XOR-encrypt C2 communications.^[1]
Enterprise	T1105		Ingress Tool Transfer	Bonadan can download additional modules from the C2 server.^[1]
Enterprise	T1057		Process Discovery	Bonadan can use the `ps` command to discover other cryptocurrency miners active on the system.^[1]
Enterprise	T1496		Resource Hijacking	Bonadan can download an additional module which has a cryptocurrency mining extension.^[1]
Enterprise	T1082		System Information Discovery	Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.^[1]
Enterprise	T1016		System Network Configuration Discovery	Bonadan can find the external IP address of the infected host.^[1]
Enterprise	T1033		System Owner/User Discovery	Bonadan has discovered the username of the user running the backdoor.^[1]

References

Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

Bonadan

Enterprise Layer

Techniques Used

References