Skip to content

S0486 Bonadan

Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.1

Item Value
ID S0486
Associated Names
Version 1.0
Created 16 July 2020
Last Modified 10 August 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter Bonadan can create bind and reverse shells on the infected system.1
enterprise T1554 Compromise Client Software Binary Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Bonadan can XOR-encrypt C2 communications.1
enterprise T1105 Ingress Tool Transfer Bonadan can download additional modules from the C2 server.1
enterprise T1057 Process Discovery Bonadan can use the ps command to discover other cryptocurrency miners active on the system.1
enterprise T1496 Resource Hijacking Bonadan can download an additional module which has a cryptocurrency mining extension.1
enterprise T1082 System Information Discovery Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.1
enterprise T1016 System Network Configuration Discovery Bonadan can find the external IP address of the infected host.1
enterprise T1033 System Owner/User Discovery Bonadan has discovered the username of the user running the backdoor.1