Bondnet is shown to still be active, increasingly leveraging miner bot activity as a covert C2 channel by installing a reverse RDP environment on powerful bots and linking it to a Cloudflare-tunneled C2. The actors attempted to turn a botnet host into a C2 using a modified FRP proxy and an HFS file server, but ultimately faced environmental issues and UI changes that suggest ongoing evasion and replacement attempts.
#Bondnet #FRP #Cloudflare #HFS #XMRig
#Bondnet #FRP #Cloudflare #HFS #XMRig
Keypoints
- Bondnet activity persists, with indicators of ongoing access and attempted C2 infrastructure as recently as 2023.
- The group configured a reverse RDP environment on high-performance bots to serve as C2 servers, accessed through RDP.
- Proxy-based tunneling is central: the actors used proxy servers and a modified FRP tool to establish and maintain the reverse RDP environment.
- A Cloudflare-tunneled C2 channel was created via a Cloudflare domain, with the Cloudflare tunneling client linking a target service to the C2 domain.
- An HTTP File Server (HFS) component was deployed in the target system to provide a file server service, with UI and behavior resembling the C2 interface, though environmental issues blocked full functionality.
- After initial attempts failed, the threat actors appears to have changed the C2 UI and introduced new malicious files about a month later, implying replacement of the C2 component or bot used.
- ASEC enumerates numerous IOCs (MD5s, domains, and IPs) associated with Bondnet-related activity, underscoring the breadth of indicators tied to this actor.
MITRE Techniques
- [T1021.001] Remote Services โ The threat actor accessed the target system via RDP. โthe threat actor accessed the target system via RDPโ
- [T1090] Proxy โ The Bondnet threat actor used proxy servers and a fast reverse proxy (hereinafter โFRPโ) tool to configure the reverse RDP environment. โThe Bondnet threat actor used proxy servers and a fast reverse proxy (hereinafter โFRPโ) tool to configure the reverse RDP environment.โ
- [T1071.001] Web Protocols โ The C2 channel appears tied to a Cloudflare domain and an HTTP-based file server, with UI characteristics linking the HFS service to the C2. โThe UI of the HFS program and that of the threat actorโs C2 are the sameโ
- [T1136] Create Account โ The actor attempted to add an adminxy account under certain hardware/network conditions. โAdd an adminxy accountโ
Indicators of Compromise
- [MD5] file hashes โ D6B2FEEA1F03314B21B7BB1EF2294B72 (smss.exe), 2513EB59C3DB32A2D5EFBEDE6136A75D (mf), and 20+ more hashes
- [Domains] C2-related domains โ d.mymst.top, m.mymst.top, frp.mymst007.top
- [IP Addresses] observed IPs (with ports) โ 223.223.188.19, 47.99.155.111, 84.46.22.158:7000, 46.59.214.14:7000, 46.59.210.69:7000, 185.141.26.116
- [URLs] C2/Web-related URLs โ http://185.141.26.116/stats.php, http://185.141.26.116/hotfixl.ico
Read more: https://asec.ahnlab.com/en/66662/