Bondnet Using Miner Bots as C2

MalBot · June 12, 2024, 4:21am

Bondnet first became known to the public in an analysis report published by GuardiCore in 2017¹ and Bondnet’s backdoor was covered in an analysis report on XMRig miner targeting SQL servers released by DFIR Report in 2022². There has not been any information on the Bondnet threat actor’s activities thereon, but it was confirmed that they had continued their attacks until recent times.

AhnLab SEcurity Intelligence Center (ASEC) found through analyzing systems infected with Bondnet miners that the Bondnet threat actor is still active and discovered circumstances of them configuring a reverse RDP environment on high-performance bots and using them as C2 servers since 2023. The reverse RDP environment was established on high-performance bots that fulfilled certain conditions.

Behavior

Behavior Condition

Add an adminxy account

is_pc (CPU condition check)

If the CPU manufacturer is Intel

If the model number is i3, i5, i7, or i9

is_pc2 (network interface condition check)

If the network interface manufacturer is Red Hat

arr_find_str

If the system’s language setting is one of the following:
- Russian, Korean, English, or Japanese
- The footnoted Dead Code includes a syntax

Download a reverse RDP program

Conditions for adding an adminxy account are met

If the CPU core count exceeds 10

Table 1. Conditions for establishing a reverse RDP environment in the backdoor

The Bondnet threat actor used proxy servers and a fast reverse proxy (hereinafter “FRP”) tool to configure the reverse RDP environment. FRP is an open-source proxy program published on GitHub and the Bondnet threat actor modified the FRP program code before using it. The FRP program file modified by the threat actor included information necessary for connection including the threat actor’s proxy server address, protocol, port, and token name.

Figure 1. Reverse RDP tool (FRP) that Bondnet modified and used

After configuring the reverse RDP environment using the modified FRP program, the threat actor accessed the target system via RDP and executed two programs.

First, they executed the Cloudflare tunneling client.

The Cloudflare tunneling client allows tunneling between a certain port in the system it is executed in and a domain mapped to the Cloudflare network.

Figure 2. Cloudflare tunneling client³

The Bondnet threat actor’s C2 domain is registered on Cloudflare and the threat actor was able to use the Cloudflare tunneling client to link a certain service in the target system with the C2 domain registered in Cloudflare.

Figure 3. The IP information of the threat actor’s C2 domain

Next, they executed an HTTP File Server (HFS) program.

Upon execution, the HFS program provides a file server service to the TCP 4000 port. For the HFS program, similarities could be found with the threat actor’s C2 environment. It was confirmed that the reply message for requesting a path that does not exist and the login pop-up that appears when approaching the directory path were the same. It is believed that the same HFS program would have been running in the C2 at the time of analysis.

Figure 4. A response page for requesting a file that does not exist, main.exe test (top) and threat actor’s C2 (bottom)

Figure 5. A login pop-up window displayed upon approaching the directory path, main.exe test (top) and threat actor’s C2 (bottom)

The Bondnet threat actor used two programs in the affected system to create the HFS service in the target system and tried to connect the service with the Cloudflare domain via tunneling to use as a C2.

However, the HFS program written in Golang failed to run due to environmental issues of the affected system, and the ASEC team could not confirm the behavior of the system being converted to a C2. Although the actual conversion process could not be observed, the following circumstances lead to the conclusion that the threat actor intended to utilize a botnet system as a C2.

After the reverse RDP connection, there were no observed behaviors in the affected system of information leakage or internal movement
The threat actor executed the Cloudflare tunneling client and the HFS program in the target system
The threat actor’s C2 domain is linked to Cloudflare
The UI of the HFS program and that of the threat actor’s C2 are the same
Some malicious files could not be downloaded from the threat actor’s C2 at the time of analysis
About one month later, the UI of the threat actor’s C2 changed, new malicious files appeared, and deleted malicious files were restored

After failing to convert the affected system to a C2, the Bondnet threat actor changed the C2 UI about a month later. It seems as if after facing failure in the target system, the threat actor used another bot to replace the C2, likely employing another program instead of the HFS program which caused an issue in the target system.

[File Detection]

CoinMiner/Win.XMRig.C5449500(2023.07.05.00)
Downloader/FOMB.Agent(2024.02.27.00)
Downloader/Win64.Agent.C2426880(2018.03.29.04)
HackTool/Win.Agent(2024.03.15.00)
HackTool/Win.Frpc.C5473755(2023.08.20.03)
HackTool/Win.PassViewer.C5353351(2023.01.09.03)
HackTool/Win.PassViewer.C5353353(2023.04.26.02)
HackTool/Win.PstPass.C5135577(2022.08.31.02)
HackTool/Win.PSWTool.R345815(2023.06.02.01)
HackTool/Win32.Mailpassview.R165244(2016.07.12.09)
Ransomware/Win.Phobos.R363595(2023.08.28.04)
Trojan/BAT.RUNNER.SC198137(2024.03.15.00)
Trojan/BAT.RUNNER.SC198138(2024.03.15.00)
Trojan/BAT.Runner.SC198226(2024.03.18.02)
Trojan/RL.Mimikatz.R248084(2018.12.10.01)
Trojan/Win.Lazardoor.R496534(2022.05.14.01)
Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
Trojan/Win32.Infostealer.C1259157(2015.11.16.06)
Trojan/Win32.Infostealer.C1259157(2020.07.17.00)
Trojan/Win32.Miner.C2462674(2018.04.13.09)
Trojan/Win32.Neshta.X2117(2018.03.16.06)
Unwanted/Win.PassView.C5359535(2023.01.16.03)
Unwanted/Win32.HackTool.C613821(2014.11.02.03)
Unwanted/Win32.Masscan.C3122810(2019.12.06.00)
Unwanted/Win32.Passview.C568442(2014.09.23.00)
Unwanted/Win32.PassView.R333746(2020.04.22.08)

[IOCs]

MD5s

D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
0753CAB27F143E009012053208B7F63E(netpass64.exe)
782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
28C2B019082763C7A90EF63BFD2F833A(dss.bat)
5410539E34FB934133D6C689072BA49D(mimikatz.exe)
59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
057D5C5E6B3F3D366E72195B0954283B(check.exe)
35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)

URLs & C2s

223.223.188[.]19
185.141.26[.]116/stats.php
185.141.26[.]116/hotfixl.ico
185.141.26[.]116/winupdate.css
84.46.22[.]158:7000
46.59.214[.]14:7000
46.59.210[.]69:7000
47.99.155[.]111
d.mymst[.]top
m.mymst[.]top
frp.mymst007[.]top

Reference Links

1 The Bondnet Army: https://www.akamai.com/blog/security/the-bondnet-army
2 SELECT XMRig FROM SQLServer: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver
3 Cloudflare Docs: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Bondnet Using Miner Bots as C2 appeared first on ASEC BLOG.

Article Link: Bondnet Using Miner Bots as C2 - ASEC BLOG