Bondnet first became known to the public in an analysis report published by GuardiCore in 20171 and Bondnet’s backdoor was covered in an analysis report on XMRig miner targeting SQL servers released by DFIR Report in 20222. There has not been any information on the Bondnet threat actor’s activities thereon, but it was confirmed that they had continued their attacks until recent times.
AhnLab SEcurity Intelligence Center (ASEC) found through analyzing systems infected with Bondnet miners that the Bondnet threat actor is still active and discovered circumstances of them configuring a reverse RDP environment on high-performance bots and using them as C2 servers since 2023. The reverse RDP environment was established on high-performance bots that fulfilled certain conditions.
Behavior | Behavior Condition |
Add an adminxy account |
is_pc (CPU condition check)
is_pc2 (network interface condition check)
arr_find_str
|
Download a reverse RDP program |
Conditions for adding an adminxy account are met If the CPU core count exceeds 10 |
The Bondnet threat actor used proxy servers and a fast reverse proxy (hereinafter “FRP”) tool to configure the reverse RDP environment. FRP is an open-source proxy program published on GitHub and the Bondnet threat actor modified the FRP program code before using it. The FRP program file modified by the threat actor included information necessary for connection including the threat actor’s proxy server address, protocol, port, and token name.
After configuring the reverse RDP environment using the modified FRP program, the threat actor accessed the target system via RDP and executed two programs.
First, they executed the Cloudflare tunneling client.
The Cloudflare tunneling client allows tunneling between a certain port in the system it is executed in and a domain mapped to the Cloudflare network.
The Bondnet threat actor’s C2 domain is registered on Cloudflare and the threat actor was able to use the Cloudflare tunneling client to link a certain service in the target system with the C2 domain registered in Cloudflare.
Next, they executed an HTTP File Server (HFS) program.
Upon execution, the HFS program provides a file server service to the TCP 4000 port. For the HFS program, similarities could be found with the threat actor’s C2 environment. It was confirmed that the reply message for requesting a path that does not exist and the login pop-up that appears when approaching the directory path were the same. It is believed that the same HFS program would have been running in the C2 at the time of analysis.
The Bondnet threat actor used two programs in the affected system to create the HFS service in the target system and tried to connect the service with the Cloudflare domain via tunneling to use as a C2.
However, the HFS program written in Golang failed to run due to environmental issues of the affected system, and the ASEC team could not confirm the behavior of the system being converted to a C2. Although the actual conversion process could not be observed, the following circumstances lead to the conclusion that the threat actor intended to utilize a botnet system as a C2.
- After the reverse RDP connection, there were no observed behaviors in the affected system of information leakage or internal movement
- The threat actor executed the Cloudflare tunneling client and the HFS program in the target system
- The threat actor’s C2 domain is linked to Cloudflare
- The UI of the HFS program and that of the threat actor’s C2 are the same
- Some malicious files could not be downloaded from the threat actor’s C2 at the time of analysis
- About one month later, the UI of the threat actor’s C2 changed, new malicious files appeared, and deleted malicious files were restored
After failing to convert the affected system to a C2, the Bondnet threat actor changed the C2 UI about a month later. It seems as if after facing failure in the target system, the threat actor used another bot to replace the C2, likely employing another program instead of the HFS program which caused an issue in the target system.
[File Detection]
- CoinMiner/Win.XMRig.C5449500(2023.07.05.00)
- Downloader/FOMB.Agent(2024.02.27.00)
- Downloader/Win64.Agent.C2426880(2018.03.29.04)
- HackTool/Win.Agent(2024.03.15.00)
- HackTool/Win.Frpc.C5473755(2023.08.20.03)
- HackTool/Win.PassViewer.C5353351(2023.01.09.03)
- HackTool/Win.PassViewer.C5353353(2023.04.26.02)
- HackTool/Win.PstPass.C5135577(2022.08.31.02)
- HackTool/Win.PSWTool.R345815(2023.06.02.01)
- HackTool/Win32.Mailpassview.R165244(2016.07.12.09)
- Ransomware/Win.Phobos.R363595(2023.08.28.04)
- Trojan/BAT.RUNNER.SC198137(2024.03.15.00)
- Trojan/BAT.RUNNER.SC198138(2024.03.15.00)
- Trojan/BAT.Runner.SC198226(2024.03.18.02)
- Trojan/RL.Mimikatz.R248084(2018.12.10.01)
- Trojan/Win.Lazardoor.R496534(2022.05.14.01)
- Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
- Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
- Trojan/Win32.Infostealer.C1259157(2020.07.17.00)
- Trojan/Win32.Miner.C2462674(2018.04.13.09)
- Trojan/Win32.Neshta.X2117(2018.03.16.06)
- Unwanted/Win.PassView.C5359535(2023.01.16.03)
- Unwanted/Win32.HackTool.C613821(2014.11.02.03)
- Unwanted/Win32.Masscan.C3122810(2019.12.06.00)
- Unwanted/Win32.Passview.C568442(2014.09.23.00)
- Unwanted/Win32.PassView.R333746(2020.04.22.08)
[IOCs]
MD5s
- D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
- 2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
- E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
- 432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
- 9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
- 7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
- D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
- 6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
- 0753CAB27F143E009012053208B7F63E(netpass64.exe)
- 782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
- 8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
- 00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
- AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
- 15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
- 28C2B019082763C7A90EF63BFD2F833A(dss.bat)
- 5410539E34FB934133D6C689072BA49D(mimikatz.exe)
- 59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
- 0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
- 057D5C5E6B3F3D366E72195B0954283B(check.exe)
- 35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
- 1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
- DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
- 76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
- 44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
- E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
- DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
- 35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)
URLs & C2s
- 223.223.188[.]19
- 185.141.26[.]116/stats.php
- 185.141.26[.]116/hotfixl.ico
- 185.141.26[.]116/winupdate.css
- 84.46.22[.]158:7000
- 46.59.214[.]14:7000
- 46.59.210[.]69:7000
- 47.99.155[.]111
- d.mymst[.]top
- m.mymst[.]top
- frp.mymst007[.]top
Reference Links
1 The Bondnet Army: https://www.akamai.com/blog/security/the-bondnet-army
2 SELECT XMRig FROM SQLServer: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver
3 Cloudflare Docs: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Bondnet Using Miner Bots as C2 appeared first on ASEC BLOG.