Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently.
These bots can work quickly, flood systems, steal information, and conduct and orchestrate sophisticated cyber operations largely autonomously.
Cybersecurity researchers at ASEC recently discovered that Bondnet has used high-performance bots for C2 servers.
Technical Analysis
Bondnet, a threat actor deploying backdoors and cryptocurrency miners since 2017, was still finding new approaches.
The ASEC researchers noted that Bondnet configures reverse RDP environments on fast stolen systems using them as C2 servers.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
It meant modifying an open-source, fast reverse proxy (FRP) tool embedding the threat actor’s proxy server information.
This included setting up an FRP-based reverse RDP environment, whereby Bondnet ran various programs onto the targets, like the Cloudflare tunneling client, for remote access, ensuring that they remained vigilant about keeping hold of compromised valuables.
Cloudflare tunneling client is one of the attempts Bondnet threat actors used to connect a service on the compromised target with their C2 domain after registering a C2 domain on Cloudflare.
One of the applications executed was HFS, which provided a file server service on TCP port 4000. The software’s architecture resembled this threat actor’s Command and Control infrastructure.
The HFS Golang program encountered environmental issues, which made it impossible to observe how the system could have been changed into a command-and-control one.
However, strong evidence indicates that Bondnet wished to exploit high-speed compromised systems as part of their C2 infrastructure via this tunneling means.
Bondnet, a threat actor, linked compromised targets with the Cloudflare tunneling client and HFS program to associate system services with the Cloudflare-hosted C2 domain.
They might have intended to convert high-performance bots into their C2 infrastructure via reverse RDP connections.
No data exfiltration or lateral movement was detected, although similarities between the HFS program UI and the actor’s C2 suggested its expected use.
During analysis of this system, it turned out that the HFS program did not work properly.
Some months later, the actors’ C2 UI changed, with new malicious files appearing and those that were deleted previously being restored, suggesting that they may have used another compromised bot using different tooling after facing issues while turning the initial target into a C2 node.
IOCs
MD5s
- D6B2FEEA1F03314B21B7BB1EF2294B72(smss.exe)
- 2513EB59C3DB32A2D5EFBEDE6136A75D(mf)
- E919EDC79708666CD3822F469F1C3714(hotfixl.exe)
- 432BF16E0663A07E4BD4C4EAD68D8D3D(main.exe)
- 9B7BE5271731CFFC51EBDF9E419FA7C3(dss.exe)
- 7F31636F9B74AB93A268F5A473066053(BulletsPassView64.exe)
- D28F0CFAE377553FCB85918C29F4889B(VNCPassView.exe)
- 6121393A37C3178E7C82D1906EA16FD4(PstPassword.exe)
- 0753CAB27F143E009012053208B7F63E(netpass64.exe)
- 782DD6152AB52361EBA2BAFD67771FA0(mailpv.exe)
- 8CAFDBB0A919A1DE8E0E9E38F8AA19BD(PCHunter32.exe)
- 00FA7F88C54E4A7ABF4863734A8F2017(fast.exe)
- AD3D95371C1A8465AC73A3BC2817D083(kit.bat)
- 15069DA45E5358578105F729EC1C2D0B(zmass_2.bat)
- 28C2B019082763C7A90EF63BFD2F833A(dss.bat)
- 5410539E34FB934133D6C689072BA49D(mimikatz.exe)
- 59FEB67C537C71B256ADD4F3CBCB701C(ntuser.cpl)
- 0FC84B8B2BD57E1CF90D8D972A147503(httpd.exe)
- 057D5C5E6B3F3D366E72195B0954283B(check.exe)
- 35EE8D4E45716871CB31A80555C3D33E(UpSql.exe)
- 1F7DF25F6090F182534DDEF93F27073D(svchost.exe)
- DC8A0D509E84B92FBF7E794FBBE6625B(svchost.com)
- 76B916F3EEB80D44915D8C01200D0A94(RouterPassView.exe)
- 44BD492DFB54107EBFE063FCBFBDDFF5(rdpv.exe)
- E0DB0BF8929CCAAF6C085431BE676C45(mass.dll)
- DF218168BF83D26386DFD4ECE7AEF2D0(mspass.exe)
- 35861F4EA9A8ECB6C357BDB91B7DF804(pspv.exe)
URLs And C2s
- 223.223.188[.]19
- 185.141.26[.]116/stats.php
- 185.141.26[.]116/hotfixl.ico
- 185.141.26[.]116/winupdate.css
- 84.46.22[.]158:7000
- 46.59.214[.]14:7000
- 46.59.210[.]69:7000
- 47.99.155[.]111
- d.mymst[.]top
- m.mymst[.]top
- frp.mymst007[.]top
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free