S0486 Bonadan
Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.1
| Item | Value |
|---|---|
| ID | S0486 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 July 2020 |
| Last Modified | 10 August 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | Bonadan can create bind and reverse shells on the infected system.1 |
| enterprise | T1554 | Compromise Client Software Binary | Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Bonadan can XOR-encrypt C2 communications.1 |
| enterprise | T1105 | Ingress Tool Transfer | Bonadan can download additional modules from the C2 server.1 |
| enterprise | T1057 | Process Discovery | Bonadan can use the ps command to discover other cryptocurrency miners active on the system.1 |
| enterprise | T1496 | Resource Hijacking | Bonadan can download an additional module which has a cryptocurrency mining extension.1 |
| enterprise | T1082 | System Information Discovery | Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.1 |
| enterprise | T1016 | System Network Configuration Discovery | Bonadan can find the external IP address of the infected host.1 |
| enterprise | T1033 | System Owner/User Discovery | Bonadan has discovered the username of the user running the backdoor.1 |