Bondnet Using High-Performance Bots For C2 Server
Threat actors abuse high-efficiency bots to develop gigantic-scale automatic assaults effectively.
These bots can work quick, flood systems, rob records, and conduct and orchestrate sophisticated cyber operations largely autonomously.
Cybersecurity researchers at ASEC recently came upon that Bondnet has outmoded high-efficiency bots for C2 servers.
Technical Evaluation
Bondnet, a menace actor deploying backdoors and cryptocurrency miners since 2017, was mute finding original approaches.
The ASEC researchers illustrious that Bondnet configures reverse RDP environments on snappily stolen systems the exercise of them as C2 servers.
It meant modifying an open-supply, snappily reverse proxy (FRP) utility embedding the menace actor’s proxy server records.
This integrated developing an FRP-based reverse RDP atmosphere, whereby Bondnet ran diverse programs onto the targets, cherish the Cloudflare tunneling client, for a ways-off procure entry to, guaranteeing that they remained vigilant about keeping withhold of compromised valuables.
Cloudflare tunneling client is one of the most makes an strive Bondnet menace actors outmoded to join a provider on the compromised target with their C2 area after registering a C2 area on Cloudflare.
One in all the applications executed was HFS, which supplied a file server provider on TCP port 4000. The utility’s architecture resembled this menace actor’s Uncover and Control infrastructure.
The HFS Golang program encountered environmental concerns, which made it very now not going to personal a examine how the system may personal been modified into a account for-and-control one.
Nonetheless, solid evidence indicates that Bondnet wished to exercise high-velocity compromised systems as section of their C2 infrastructure through this tunneling methodology.
Bondnet, a menace actor, linked compromised targets with the Cloudflare tunneling client and HFS program to partner system services with the Cloudflare-hosted C2 area.
They’d personal intended to convert high-efficiency bots into their C2 infrastructure through reverse RDP connections.
No records exfiltration or lateral circulate was detected, although similarities between the HFS program UI and the actor’s C2 urged its anticipated exercise.
In the course of prognosis of this methodology, it was out that the HFS program didn’t work effectively.
Some months later, the actors’ C2 UI modified, with original malicious files showing and folks that personal been deleted beforehand being restored, suggesting that they will personal outmoded but another compromised bot the exercise of assorted tooling after going by concerns while turning the initial target into a C2 node.
IOCs
MD5s
- D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
- 2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
- E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
- 432BF16E0663A07E4BD4C4EAD68D8D3D(major.exe)
- 9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
- 7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
- D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
- 6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
- 0753CAB27F143E009012053208B7F63E(netpass64.exe)
- 782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
- 8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
- 00FA7F88C54E4A7ABF4863734A8F2017(snappily.exe)
- AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
- 15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
- 28C2B019082763C7A90EF63BFD2F833A(dss.bat)
- 5410539E34FB934133D6C689072BA49D(mimikatz.exe)
- 59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
- 0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
- 057D5C5E6B3F3D366E72195B0954283B(take a look at.exe)
- 35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
- 1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
- DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
- 76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
- 44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
- E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
- DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
- 35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)
URLs And C2s
- 223.223.188[.]19
- 185.141.26[.]116/stats.php
- 185.141.26[.]116/hotfixl.ico
- 185.141.26[.]116/winupdate.css
- 84.46.22[.]158:7000
- 46.59.214[.]14:7000
- 46.59.210[.]69:7000
- 47.ninety nine.155[.]111
- d.mymst[.]high
- m.mymst[.]high
- frp.mymst007[.]high
Source credit : cybersecuritynews.com