Cyber Security

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently.

These bots can work quickly, flood systems, steal information, and conduct and orchestrate sophisticated cyber operations largely autonomously.

Cybersecurity researchers at ASEC recently discovered that Bondnet has used high-performance bots for C2 servers.

Technical Analysis

Bondnet, a threat actor deploying backdoors and cryptocurrency miners since 2017, was still finding new approaches.

The ASEC researchers noted that Bondnet configures reverse RDP environments on fast stolen systems using them as C2 servers.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

It meant modifying an open-source, fast reverse proxy (FRP) tool embedding the threat actor’s proxy server information.

This included setting up an FRP-based reverse RDP environment, whereby Bondnet ran various programs onto the targets, like the Cloudflare tunneling client, for remote access, ensuring that they remained vigilant about keeping hold of compromised valuables.

Cloudflare tunneling client (Source – ASEC)

Cloudflare tunneling client is one of the attempts Bondnet threat actors used to connect a service on the compromised target with their C2 domain after registering a C2 domain on Cloudflare.

One of the applications executed was HFS, which provided a file server service on TCP port 4000. The software’s architecture resembled this threat actor’s Command and Control infrastructure.

The HFS Golang program encountered environmental issues, which made it impossible to observe how the system could have been changed into a command-and-control one. 

However, strong evidence indicates that Bondnet wished to exploit high-speed compromised systems as part of their C2 infrastructure via this tunneling means.

Bondnet, a threat actor, linked compromised targets with the Cloudflare tunneling client and HFS program to associate system services with the Cloudflare-hosted C2 domain.

They might have intended to convert high-performance bots into their C2 infrastructure via reverse RDP connections.

No data exfiltration or lateral movement was detected, although similarities between the HFS program UI and the actor’s C2 suggested its expected use.

During analysis of this system, it turned out that the HFS program did not work properly.

Some months later, the actors’ C2 UI changed, with new malicious files appearing and those that were deleted previously being restored, suggesting that they may have used another compromised bot using different tooling after facing issues while turning the initial target into a C2 node.

IOCs

MD5s

  • D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
  • 2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
  • E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
  • 432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
  • 9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
  • 7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
  • D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
  • 6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
  • 0753CAB27F143E009012053208B7F63E(netpass64.exe)
  • 782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
  • 8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
  • 00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
  • AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
  • 15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
  • 28C2B019082763C7A90EF63BFD2F833A(dss.bat)
  • 5410539E34FB934133D6C689072BA49D(mimikatz.exe)
  • 59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
  • 0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
  • 057D5C5E6B3F3D366E72195B0954283B(check.exe)
  • 35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
  • 1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
  • DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
  • 76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
  • 44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
  • E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
  • DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
  • 35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)

URLs And C2s

  • 223.223.188[.]19
  • 185.141.26[.]116/stats.php
  • 185.141.26[.]116/hotfixl.ico
  • 185.141.26[.]116/winupdate.css
  • 84.46.22[.]158:7000
  • 46.59.214[.]14:7000
  • 46.59.210[.]69:7000
  • 47.99.155[.]111
  • d.mymst[.]top
  • m.mymst[.]top
  • frp.mymst007[.]top

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Weekly Cyber Security News Letter – Data Breaches, Vulnerability, Cyber Attack & More

On a weekly basis, the cyber security newsletter is considered an essential update on information…

4 hours ago

8.5 Million Windows Systems Hit by CrowdStrike Faulty Update – Microsoft Says!

Microsoft has revealed that a faulty software update released by cybersecurity firm CrowdStrike on July…

1 day ago

Hackers Exploits CrowdStrike Issues to Attack Windows System With RemCos Malware

On July 19, 2024, CrowdStrike identified an issue in a content update for the Falcon…

1 day ago

Alert! Hackers Exploiting CrowdStrike Issue in Cyber Attacks

Cybersecurity experts have uncovered a concerning development following the recent CrowdStrike Falcon sensor issue that…

2 days ago

10 Best Linux Firewalls In 2024

At present, many computers are connected via numerous networks. Monitoring all traffic and having something…

2 days ago

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

2 days ago