Cybersecurity researchers have pinpointed how threat actors are leveraging high-performance bots to execute large-scale automated attacks. These bots, known for their efficiency, can inundate systems, pilfer information, and autonomously carry out sophisticated cyber operations. The recent activities of a group known as Bondnet have been particularly notable in this regard.
Launched in 2017, Bondnet is a threat actor group that uses backdoors and cryptocurrency miners to infiltrate systems. The group recently updated its tactics, configuring reverse RDP environments on high-performance, compromised devices to use them as Command and Control (C2) servers. This involved modifying open-source reverse proxy tools and embedding their own proxy server information.
Technical Analysis
Bondnet’s approach included setting up an FRP-based reverse RDP environment. They also ran programs like the Cloudflare tunneling client on compromised targets to ensure remote access. By linking these systems to the Cloudflare-hosted C2 domain, Bondnet maintained control over valuable compromised resources.
One of the tools used in these operations was HFS, which provided file server services on TCP port 4000. This software resembled Bondnet’s Command and Control infrastructure but encountered environmental issues, preventing full observation of its transition into a C2 node. Despite these issues, evidence suggested that Bondnet aimed to exploit these high-speed systems as part of their C2 infrastructure.
Bondnet’s strategy involved using the Cloudflare tunneling client and HFS program to connect compromised systems with their C2 domain. While no data exfiltration or lateral movement was detected, the HFS program’s user interface hinted at its intended use. However, the HFS program did not function correctly during analysis, leading Bondnet to potentially use another compromised bot with different tools.
Indicators of Compromise (IOCs)
MD5s:
- D6B2FEEA1F03314B21B7BB1EF2294B72 (smss.exe)
- 2513EB59C3DB32A2D5EFBEDE6136A75D (mf)
- E919EDC79708666CD3822F469F1C3714 (hotfixl.exe)
- 432BF16E0663A07E4BD4C4EAD68D8D3D (main.exe)
- 9B7BE5271731CFFC51EBDF9E419FA7C3 (dss.exe)
- 7F31636F9B74AB93A268F5A473066053 (BulletsPassView64.exe)
- D28F0CFAE377553FCB85918C29F4889B (VNCPassView.exe)
- 6121393A37C3178E7C82D1906EA16FD4 (PstPassword.exe)
- 0753CAB27F143E009012053208B7F63E (netpass64.exe)
- 782DD6152AB52361EBA2BAFD67771FA0 (mailpv.exe)
- 8CAFDBB0A919A1DE8E0E9E38F8AA19BD (PCHunter32.exe)
- 00FA7F88C54E4A7ABF4863734A8F2017 (fast.exe)
- AD3D95371C1A8465AC73A3BC2817D083 (kit.bat)
- 15069DA45E5358578105F729EC1C2D0B (zmass_2.bat)
- 28C2B019082763C7A90EF63BFD2F833A (dss.bat)
- 5410539E34FB934133D6C689072BA49D (mimikatz.exe)
- 59FEB67C537C71B256ADD4F3CBCB701C (ntuser.cpl)
- 0FC84B8B2BD57E1CF90D8D972A147503 (httpd.exe)
- 057D5C5E6B3F3D366E72195B0954283B (check.exe)
- 35EE8D4E45716871CB31A80555C3D33E (UpSql.exe)
- 1F7DF25F6090F182534DDEF93F27073D (svchost.exe)
- DC8A0D509E84B92FBF7E794FBBE6625B (svchost.com)
- 76B916F3EEB80D44915D8C01200D0A94 (RouterPassView.exe)
- 44BD492DFB54107EBFE063FCBFBDDFF5 (rdpv.exe)
- E0DB0BF8929CCAAF6C085431BE676C45 (mass.dll)
- DF218168BF83D26386DFD4ECE7AEF2D0 (mspass.exe)
- 35861F4EA9A8ECB6C357BDB91B7DF804 (pspv.exe)
URLs and C2s:
- 223.223.188[.]19
- 185.141.26[.]116/stats.php
- 185.141.26[.]116/hotfixl.ico
- 185.141.26[.]116/winupdate.css
- 84.46.22[.]158:7000
- 46.59.214[.]14:7000
- 46.59.210[.]69:7000
- 47.99.155[.]111
- d.mymst[.]top
- m.mymst[.]top
- frp.mymst007[.]top
