The Bondnet Army

GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions.

The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server.  Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day.

In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup toola list of IoCs and a select list of Questions and Answers

Bondnet by Numbers

  • Bondnet has penetrated more than 15,000 machines to date
  • Everyday 2000 machines – equals 12,000 cores – report to the Bondnet C&C
  • Victim CPU core count varies from 1 to 64
  • ~ 500  new machines are added daily to the attacker’s network and around the same number of machines is delisted
  • Bondnet victims are distributed across 141 countries in 6 continents

Botnet Recruitment

The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet’s victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis.

Heatmap of the Bondnet victims

Heatmap of the Bondnet victims

While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The  attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers.

Infection Strategy

The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services.

Bondnet attack vectors breakdown

Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works.

Anatomy of a MySQL Attack  

The infection kicks off by planting files using the INTO DUMPFILE command in MySQL  and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported  function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics.

Bondnet MySQL Commands seen in GGSN

The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008).

Visual Basic Payload

The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner.

The attacker's obfuscated Visual Basic code

The attacker’s obfuscated Visual Basic code


The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner.

The miner schedule task

The miner schedule task

WMI Trojan

The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective.

The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc.

Then it collects and transmits computer metadata to a C&C server directed from

  • Computer name
  • RDP Port
  • Guest username
  • OS Version
  • Number of active processors
  • Uptime measured in hours
  • The original infection vector
  • Whether the victim is running a chinese version of Windows
  • OS language
  • CPU architecture (x86/x64)

The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two.

Communication is done over plain HTTP

Last, the malware downloads a command file from over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity.

The command we’ve observed downloads another file named from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent  benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner’s installer previously described.

Controlling Bondnet

On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server.

The C&C listens on port 8080 and allows the victim to do the following:

  • Upload information – Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt.
  • Download command – Commands are delivered when requesting alldl.asp. This file and multiple others (, are saved encrypted on disk and are decrypted in memory before being sent to victims.
Trojan command and control flow

Trojan command and control flow

This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers.

The C&C server's administration interface

The C&C server’s administration interface

Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named or containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker  chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send.

Attack Infrastructure

The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers.

File listing of a miner file server

File listing of a miner file server

Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files.  

Who are you Bond007.01?

Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker’s habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone.

We have multiple reasons to assume that Bond007.01 is based in China:

  • The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him.
  • The attacker’s code handles Chinese desktop victims differently compared to all other victims.
  • The Bondnet C&C server is compiled on a Chinese computer.  

The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang

Detection and remediation

To check whether your machine is infected and to clean it, you can EITHER 

use the GuardiCore detection & cleanup script by simply running:  cscript.exe GC-BondnetCleaner.vbs


do it manually using the following series of steps:

Log files

Every compromised Windows machine hosts at least one of the following log files:

  • %windir%\wb2010kb.logContains a log of a successful attack
  • %windir%\temp\dfvt.logContains the log message from running the WMI trojan.  

WMI Trojan

To check whether the backdoor is currently installed, run the following command:

gwmi -Namespace “root/subscription” -Class __EventConsumer | where name -eq  “MYASECdr”

If the results include an instance of the ASEventConsumerdr it means the trojan is currently active.

Output of a command on an infected machine

To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands  remove the class object, preventing an easy return.

gwmi -Namespace “root/subscription” -Class __EventFilter | where name -eq “EF” | Remove-WmiObject

gwmi -Namespace “root/subscription” -Class __EventFilter | where name -eq “EFNMdr” | Remove-WmiObject

gwmi -Namespace “root/subscription” -Class ASEventConsumerdr | Remove-WmiObject

$query = “SELECT * FROM meta_class where __class = ‘ASEventConsumerdr'”

Get-WmiObject -Query $query -Namespace “root\subscription” | where Name -eq “ASEventConsumerdr” | Remove-WmiObject


To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or “cell” that runs a batch script. If detected, remove it along with the miner directory.

You can also filter suspicious tasks with the following two commands



SCHTASKS /Query /V /FO LIST /TN cell

In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list.

Backdoor User

If prior steps have shown your machine is compromised, inspect the following as well:

  • Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password.
  • Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”.  
  • RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command:

reg query  “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v  fDenyChildConnections

If the value is 0, RDP connections are enabled.


In this campaign, the attacker’s objective  is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power.

Building an attack infrastructure on top of victim machines helps conceal the attacker’s true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet.

While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today’s mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim’s network.

If you want to make sure your machines are not infected, download our free detection & cleanup tool below.


Fill in your details to get the detection & cleanup tool

Appendix – Network IoCs

In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080).


IP Address Type Attack machine Attack machine Attack machine Command and control Command and control Command and control Command and control Command and control Command and control Command and control Command and control Command and control Miner repository Miner repository Miner repository Miner repository Miner repository Miner repository Miner repository Miner repository Miner repository Miner repository Inactive Inactive Inactive Inactive Inactive

In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list.


Appendix – File IoCs

The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files.

In addition, the following file names are indicative of compromise.

%windir%\wb2010kb.log – Indicative of compromise by the initial stage of any infection vector

%windir%\temp\dfvt.log – indicative of compromise by the MOF file (more interesting)

Attack files

Hash Path
2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp
1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp

Also known as

25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar
BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof
7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z
B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf


The miner executables themselves change frequently but keep the same names, listed here

  • smssm.exe
  • msdc.exe
  • z64.exe
  • servies.exe
Hash Path
37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar
9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar
3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar
D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar
91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar
FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar
40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar
B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf
710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz
EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar
822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar
25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar
F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar
3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar
B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar
7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar
469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat
BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat
F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat
18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat
0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat
3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat
111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat
15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz
710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz
05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll
DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr
AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe
C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe
785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe
18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe
1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe
34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt
1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe
B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe
C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe
63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe
2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe
6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe
9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat
A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat
92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat
428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar
E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe
89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar
376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat
7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe
C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe
4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe
9 replies
  1. eric
    eric says:

    Thanks for sharing!! I ran the tool and was infected on my Windows server 2008 R2. I cleaned the infection, however at 11pm once again the guest account got re enabled! Any further suggestions?

    Thnaks, Eric

    • Daniel Goldberg
      Daniel Goldberg says:

      Hey Eric,
      The Guest account was reactivated is down to the WMI trojan still functioning. Every day at 11PM it will run and reinfect your machine.

      In order to remove it, you can download the cleanup script we provided (using the form in this post) or manually perform all the steps provided in the post.

      Hope this helps

  2. Massimo
    Massimo says:

    the tools only detect if the log file is present. if you rename the logfile it says system is clean. but the wmi malware is still there.
    i found it with these powershell commands :
    find the scheduled task
    Get-WmiObject -Class __EventFilter -ComputerName . -Namespace ROOT\DEFAULT -filter “Name=’Power'” | Select-Object * -ExcludeProperty PSComputerName, Scope, Path, Options, ClassPath, Properties, SystemProperties, Qualifiers, Site, Container | Format-List -Property [a-z]*
    find the malware source code (vbs)
    Get-WmiObject -Class __EventConsumer -ComputerName . -Namespace ROOT\DEFAULT | Select-Object * -ExcludeProperty PSComputerName, Scope, Path, Options, ClassPath, Properties, SystemProperties, Qualifiers, Site, Container | Format-List -Property [a-z]*

    remove the scheduler & malware :
    gwmi -namespace root\default -class __eventfilter | where {$ -eq “Power”} | remove-wmiobject
    gwmi -namespace root\default -class __eventconsumer | where {$ -eq “Power”} | remove-wmiobject
    gwmi -namespace root\default -class __filtertoconsumerbinding -Filter “Filter = “”’Power'””” | remove-wmiobject
    these queries were found on rich kreider web site


    • Daniel Goldberg
      Daniel Goldberg says:

      Thank you for your comment,

      Our script does not just detect the log file but also checks for the WMI persistence. Maybe you’re seeing a new variant? Could you send the VB code you’re running into?


  3. Alex
    Alex says:

    Thank you for this awesome investigation! You and Rich Kreider’s site helped me in my fight against this crypt currency miner!
    He and the fellows in his blog ( ) found similar WMI instance (ActiveScriptEventConsumer.Name=”PowerLog”).

    Here is what Mike wrote (

    Here are the steps I followed to delete this script:
    1) Go to Start –> Run –> and enter “WBEMTest” to start the “Windows Management Instrumentation Tester” application.
    2) Check the “Enable All Privileges” check box.
    3) Click the “Connect…” button.
    4) Enter “rootdefault” in the “Namespace” box and click the “Connect” button.
    5) Click the “Enum Instances…” button and enter “ActiveScriptEventConsumer”.
    6) Click “ActiveScriptEventConsumer.Name=”PowerLog”” in the list of results and click the “Delete” button.
    7) Click the “Close” and “Exit” buttons to shut down the application.


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *