Skip to content

S0360 BONDUPDATER

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.12

Item Value
ID S0360
Associated Names
Type MALWARE
Version 1.2
Created 18 February 2019
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell BONDUPDATER is written in PowerShell.12
enterprise T1059.003 Windows Command Shell BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.2
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms BONDUPDATER uses a DGA to communicate with command and control servers.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.1
enterprise T1105 Ingress Tool Transfer BONDUPDATER can download or upload files from its C2 server.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task BONDUPDATER persists using a scheduled task that executes every minute.2

Groups That Use This Software

ID Name References
G0049 OilRig 1 2

References

  1. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  2. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.