by 11 Comments

GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions.

The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server.  Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day.

In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup toola list of IoCs and a select list of Questions and Answers

Bondnet by Numbers

  • Bondnet has penetrated more than 15,000 machines to date
  • Everyday 2000 machines – equals 12,000 cores – report to the Bondnet C&C
  • Victim CPU core count varies from 1 to 64
  • ~ 500  new machines are added daily to the attacker’s network and around the same number of machines is delisted
  • Bondnet victims are distributed across 141 countries in 6 continents

Get the Detection & Cleanup Tool

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element  Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Botnet Recruitment

The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet’s victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Heatmap of the Bondnet victims

While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The  attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element  Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Infection Strategy

The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Bondnet attack vectors breakdown

Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works.

Anatomy of a MySQL Attack  

The infection kicks off by planting files using the INTO DUMPFILE command in MySQL  and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported  function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element  Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Bondnet MySQL Commands seen in GGSN

The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008).

Visual Basic Payload

The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

The attacker’s obfuscated Visual Basic code

Miner

The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

The miner schedule task

WMI Trojan

The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective.

The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc.

Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info.

  • Computer name
  • RDP Port
  • Guest username
  • OS Version
  • Number of active processors
  • Uptime measured in hours
  • The original infection vector
  • Whether the victim is running a chinese version of Windows
  • OS language
  • CPU architecture (x86/x64)

The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Communication is done over plain HTTP

Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity.

The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent  benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner’s installer previously described.

Controlling Bondnet

On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server.

The C&C listens on port 8080 and allows the victim to do the following:

  • Upload information – Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt.
  • Download command – Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims.
Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Trojan command and control flow

This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

The C&C server’s administration interface

Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker  chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send.

Attack Infrastructure

The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

File listing of a miner file server

Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files.  

Who are you Bond007.01?

Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker’s habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone.

We have multiple reasons to assume that Bond007.01 is based in China:

  • The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him.
  • The attacker’s code handles Chinese desktop victims differently compared to all other victims.
  • The Bondnet C&C server is compiled on a Chinese computer.  
Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang

Detection and remediation

To check whether your machine is infected and to clean it, you can EITHER 

use the GuardiCore detection & cleanup script by simply running:  cscript.exe GC-BondnetCleaner.vbs

OR

do it manually using the following series of steps:

Log files

Every compromised Windows machine hosts at least one of the following log files:

  • %windir%wb2010kb.logContains a log of a successful attack
  • %windir%tempdfvt.logContains the log message from running the WMI trojan.  

WMI Trojan

To check whether the backdoor is currently installed, run the following command:

gwmi -Namespace “root/subscription” -Class __EventConsumer | where name -eq  “MYASECdr”

If the results include an instance of the ASEventConsumerdr it means the trojan is currently active.

Guardicore - Skip to main contentSkip to toolbar About WordPress Guardicore 3737 comments awaiting moderation New View Post SEOGood SEO score Theme Options Copy to a new draft Howdy, sophieko Clear Cache Log Out Help Screen Options Edit Post Add New Enter title here The Bondnet Army Permalink: https://www.guardicore.com/2017/05/the-bondnet-army/ ‎Edit Default Editor Toggle panel: Publish Preview Changes (opens in a new tab) Status: Published Edit Edit status Visibility: Public Edit Edit visibility Published on: May 4, 2017 @ 03:57 Edit Edit date and time Readability: Needs improvement SEO: Good Copy to a new draft Move to Trash Toggle panel: Categories All Categories Most Used Labs Blog GuardiCore News Industry News News & Press Releases Press Releases Uncategorized + Add New Category Toggle panel: Tags Add New Tag Separate tags with commas Remove term: bondnet bondnetRemove term: cyber attack cyber attackRemove term: cyber crime cyber crimeRemove term: illegal mining illegal miningRemove term: malware malwareRemove term: mining mining Choose from the most used tags Toggle panel: Post Attributes Template Toggle panel: Layout Sidebar Settings Select the desired Page layout Sidebar Setting Choose a custom sidebar for this entry Footer Settings Display the footer widgets? Title Bar Settings Display the Title Bar with Page Title and Breadcrumb Navigation? Header visibility and transparency Several options to change the header transparency and visibility on this page. Toggle panel: Featured Image Guardicore - The Bondnet Army: Questions & Answers Click the image to edit or update Remove featured image Don't display image on single post Toggle panel: Avia Layout Builder Close Layout ElementsContent ElementsMedia Elements 1/11/11/21/21/31/32/32/31/41/43/43/41/51/52/52/53/53/54/54/5Color SectionColor SectionGrid RowGrid RowTab SectionTab Section InformationTemplates <--> -3/5+x+Clone Columnedit edit+xClone Element GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. The attacker behind Bondnet breaches the victims through a variety of public exploits and installs a Windows Management Interface (WMI) trojan that communicates with a Command and Control (C&C) server. Operating under the name Bond007.01, the attacker can then take full control of the servers to exfiltrate data, hold it for ransom, use the server to stage further attacks and more. Active since December 2016, Bondent primarily mines Monero. Bond007.01 is financially motivated, earning around a thousand dollars a day. In this report, we provide details on this botnet, focusing on its infection and persistence mechanisms along with an explanation on the attack and control infrastructure. We are also sharing a detection & cleanup tool, a list of IoCs and a select list of Questions and Answers. -2/5+x+Clone Columnedit edit+xClone Element Bondnet by Numbers Bondnet has penetrated more than 15,000 machines to date Everyday 2000 machines - equals 12,000 cores - report to the Bondnet C&C Victim CPU core count varies from 1 to 64 ~ 500 new machines are added daily to the attacker’s network and around the same number of machines is delisted Bondnet victims are distributed across 141 countries in 6 continents edit+xClone Element Get the Detection & Cleanup Tool -1/1+x+Clone Columnedit edit+xClone Element Botnet Recruitment The initial attack coming from Hong Kong exploited a known weak configuration in phpMyAdmin that allowed the attacker to deploy unknown DLLs and an encoded Visual Basic script. None of these files were detected by the multiple Antivirus deployed on the botnet's victims nor by known malware repositories. Next, we noticed that the same attack patterns were launched repeatedly from different sources worldwide using different attack vectors, all sharing the same attack infrastructure. The GuardiCore Global Sensor Network (GGSN) detected the Bondnet in January 2017. The GGSN is a network of deception servers installed in multiple data centers around the world. Based on GuardiCore deception technology, it streams early threat information to GuardiCore Labs for new attack identification and analysis. Heatmap of the Bondnet victims Heatmap of the Bondnet victims While most victims are used for mining, other victims are used to conduct attacks, serve up malware files or host the C&C servers. The attacker uses the compromised machines to expand the botnet attacking infrastructure, hiding these machines among legitimate servers. Infection Strategy The attacker uses a mix of old vulnerabilities and weak user/password combinations to primarily attack Windows Server machines. The attack vectors we uncovered include known phpMyAdmin configuration bugs, exploits in JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL servers, Apache Tomcat, Oracle Weblogic and other common services. Bondnet attack vectors breakdown Common to all these attacks is a series of Visual Basic files that download and install a remote access trojan (RAT) and a cryptocurrency miner. Let’s take the MySQL attack vector as an example of how this attack works. Anatomy of a MySQL Attack The infection kicks off by planting files using the INTO DUMPFILE command in MySQL and then attempts to load them using MySQL’s plugin feature. These commands require unique privileges (among them FILE and EXECUTE) and should be blocked by default. The files are DLLs that execute a payload that runs an obfuscated Visual Basic script. The payload is executed by loading the DLL into the MySQL process and calling the allcone exported function. Executing from MySQL’s high privileges solves any permission problem the attacker might run into and helps evade antivirus heuristics. Bondnet MySQL Commands seen in GGSN The use of code obfuscation and reliance on old features with weak auditing and security mechanisms allows the attacker to bypass protection measures. In comparison to the newer and more suited to the modern era Powershell, Visual Basic code is hard to log and access to WMI objects is rarely audited. Another advantage to using Visual Basic is its backward compatibility for earlier Windows operating systems (e.g. 2003, 2008). Visual Basic Payload The Visual Basic script collects system information such as OS version, number of CPU cores, the current language and network connectivity. Using a criteria based on OS version, number of CPU cores and the OS language (Chinese or not), the script picks what to install. The OS language is used to distinguish between victims in China and elsewhere probably due to communication issues (the Great Firewall). Most victims receive code that installs a miner and a backdoor while desktop machines inside China receive a browser ad hijacker instead of a miner. The attacker's obfuscated Visual Basic code The attacker's obfuscated Visual Basic code Miner The miner’s installer picks which cryptocurrency to mine and then downloads and installs a matching miner, with priority given to Monero. Additional miners include ByteCoin, RieCoin or ZCash, all convertible to USD. To acquire the miner, the malware communicates with a hard coded file server picked from the pool of servers used as part of the attack using HTTP over port 4000 (see full list of file servers). The installer prefers to install up to date software, searching for and terminating old copies (if any exist). Last, to make sure the miner process is reboot proof and constantly running, a scheduled task, triggered hourly, activates the miner. The miner schedule task The miner schedule task WMI Trojan The backdoor is a WMI RAT downloaded from an Amazon S3 bucket (named mytest01234). The trojan is installed using a known MOF file method and set to run every night at 11PM. This backdoor works by defining a new WMI provider class inheriting from __EventConsumer by the name of ASEventConsumerdr. This enables the attacker to execute code as a result of a WMI event such as a specific time period, hiding its activity inside the noise of the WMI service process. Simple yet effective. The backdoor starts by enabling the Guest account and resetting its password, enabling the attacker to remotely connect to the victim if required using RDP, SMB, RPC etc. Then it collects and transmits computer metadata to a C&C server directed from mst.mymst007.info. Computer name RDP Port Guest username OS Version Number of active processors Uptime measured in hours The original infection vector Whether the victim is running a chinese version of Windows OS language CPU architecture (x86/x64) The data is encoded and sent over HTTP as a list of numbers, corresponding to ASCII character values of the data shifted from their original value by two. Communication is done over plain HTTP Last, the malware downloads a command file from mst.mymst007.info over port 8080 and executes it. The commands are obfuscated Visual Basic code, encoded just like the metadata uploaded to the C&C server. After decoding, the malware executes the given code “in memory” using built-in language features, avoiding any writes to disk which might be picked up by logging mechanisms and security software scanning for file activity. The command we’ve observed downloads another file named jk.zip from the C&C server, which is an up to date version of the miner installation code that, if required, replaces the current miner installed on the victim. Oddly enough, this file is saved to disk (as xw.tmp) and only then executed, losing the inherent benefits associated with the C&C’s command execution method. Over time we’ve observed several versions of the installation script, all similar to the miner's installer previously described. Controlling Bondnet On each victim-turned-C&C server, the attacker installs a small webserver. This server, a fork of goup, is a small open source HTTP server written in Golang. The attacker added to goup features such as tracking victims and file encryption on disk using AES. To avoid auditing and firewall alerts, the attacker uses .asp and .zip file extensions for files served by the C&C server. The C&C listens on port 8080 and allows the victim to do the following: Upload information - Victims can upload information by sending data to all.asp. This information is passed in the URL’s query string over a variable named info. The server takes this information, encrypts it with a constant AES key and logs it in Base64 format to a file named za.txt. Download command - Commands are delivered when requesting alldl.asp. This file and multiple others (jk.zip, xz.zip) are saved encrypted on disk and are decrypted in memory before being sent to victims. Trojan command and control flow Trojan command and control flow This web server has an administration interface allowing common file operations such as uploading files, deleting them, creating folders, etc. All these operations require the client to pass authentication which we were able to bypass, giving us access to the files hosted on all the attacker’s C&C and file servers. The C&C server's administration interface The C&C server's administration interface Deploying new command and control instances is a manual process. The attacker connects over RDP to the victim machine, copies over a ZIP file (named ALL-HFS.zip or main.zip) containing the server, an open source service manager (nssm) and command files. Using an included batch script (named 32.bat), the server is installed with the innocuous name of w3wp (same name as the Microsoft IIS host process) and runs on startup. Occasionally the attacker chooses not to create the all.asp file and the result is that some C&C servers don’t save the information the trojans send. Attack Infrastructure The entire infrastructure is built of compromised servers that have been assigned specific roles such as C&C servers, file servers, scanning servers etc. To find new targets, the attacker scans the internet using WinEggDrop, a TCP port scanner available on hacker forums, that provides an updated list of IPs with open ports. Given a list of IP ranges, the scanning server checks for the existence of public unpatched vulnerabilities in different frameworks such as Apache Struts 2 and stores these IPs. Other servers are dedicated attack machines for specific attack vectors such as MSSQL and phpMyAdmin unpatched vulnerabilities. Many victims are repurposed as file servers to serve up mining software to different victims over HTTP on port 4000. The attacker deploys the same web server deployed on the C&C servers on these file servers. File listing of a miner file server File listing of a miner file server Unlike the rest of the infrastructure which is built of compromised servers, the attacker uses Amazon S3 bucket to host the WMI trojan files. Who are you Bond007.01? Bond007.01, the attacker behind Bondnet, also goes by the alias leebond986 that shows up in multiple pieces of code compiled by him, including prior and modern variants of the miner software. The attacker's habit of reusing his own code and having very simple constructs makes us believe the attacker operates alone. We have multiple reasons to assume that Bond007.01 is based in China: The attacker copies and pastes code into his tools from Chinese websites even though non-Chinese websites are equally available to him. The attacker’s code handles Chinese desktop victims differently compared to all other victims. The Bondnet C&C server is compiled on a Chinese computer. The source directory for the C&C server contains chinese letters, E:/GO语言 , translated to golang Detection and remediation To check whether your machine is infected and to clean it, you can EITHER use the GuardiCore detection & cleanup script by simply running: cscript.exe GC-BondnetCleaner.vbs OR do it manually using the following series of steps: Log files Every compromised Windows machine hosts at least one of the following log files: %windir%wb2010kb.log - Contains a log of a successful attack %windir%tempdfvt.log - Contains the log message from running the WMI trojan. WMI Trojan To check whether the backdoor is currently installed, run the following command: gwmi -Namespace "root/subscription" -Class __EventConsumer | where name -eq "MYASECdr" If the results include an instance of the ASEventConsumerdr it means the trojan is currently active. Output of a command on an infected machine To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands remove the class object, preventing an easy return. gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EF" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class __EventFilter | where name -eq "EFNMdr" | Remove-WmiObject gwmi -Namespace "root/subscription" -Class ASEventConsumerdr | Remove-WmiObject $query = "SELECT * FROM meta_class where __class = 'ASEventConsumerdr'" Get-WmiObject -Query $query -Namespace "rootsubscription" | where Name -eq "ASEventConsumerdr" | Remove-WmiObject Miner To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or "cell" that runs a batch script. If detected, remove it along with the miner directory. You can also filter suspicious tasks with the following two commands SCHTASKS /Query /V /FO LIST /TN gm SCHTASKS /Query /V /FO LIST /TN ngm SCHTASKS /Query /V /FO LIST /TN cell In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list. Backdoor User If prior steps have shown your machine is compromised, inspect the following as well: Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password. Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”. RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command: reg query "HKLMSYSTEMCurrentControlSetControlTerminal Server" /v fDenyChildConnections If the value is 0, RDP connections are enabled. Summary In this campaign, the attacker's objective is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power. Building an attack infrastructure on top of victim machines helps conceal the attacker's true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet. While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today's mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim's network. If you want to make sure your machines are not infected, download our free detection & cleanup tool below. -1/1+x+Clone Columnedit edit+xClone Element . Fill in your details to get the detection & cleanup tool edit+xClone Element -1/1+x+Clone Columnedit edit+xClone Element Appendix - Network IoCs In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080). DNS - mst.mymst007.info IP Address Type 203.113.10.12 Attack machine 122.204.161.241 Attack machine 112.53.74.38 Attack machine 59.3.127.132 Command and control 211.238.181.106 Command and control 190.7.109.20 Command and control 162.248.241.98 Command and control 158.85.244.196 Command and control 154.58.200.234 Command and control 122.144.133.35 Command and control 113.193.10.247 Command and control 220.171.1.36 Command and control 219.146.77.76 Miner repository 216.151.217.142 Miner repository 211.72.242.94 Miner repository 207.58.148.138 Miner repository 123.140.250.150 Miner repository 117.34.117.55 Miner repository 115.146.122.254 Miner repository 187.28.38.3 Miner repository 122.227.176.86 Miner repository 50.207.71.22 Miner repository 72.167.201.140 Inactive 69.90.114.185 Inactive 47.90.206.226 Inactive 222.185.247.246 Inactive 203.236.80.38 Inactive In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list. minergate.com miner.center shscrypto.net cryptonight.net democats.org cryptmonero.com cryptmonero.com riepool.ovh flypool.org nanopool.org suprnova.cc minergate.com minexmr.com crypto-pool.fr dwarfpool.com Appendix - File IoCs The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files. In addition, the following file names are indicative of compromise. %windir%wb2010kb.log - Indicative of compromise by the initial stage of any infection vector %windir%tempdfvt.log - indicative of compromise by the MOF file (more interesting) Attack files Hash Path 2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp 1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp Also known as xz.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip 5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip 25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar 36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip 129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof 7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf Miners The miner executables themselves change frequently but keep the same names, listed here smssm.exe msdc.exe z64.exe servies.exe Hash Path 37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar 9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar 3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar 91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar 40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z 01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf 26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar 822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar 25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar 3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar 7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar 469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat 18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat 0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat 3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat 111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat 15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz 710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz 05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe 785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe 18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe 1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe 34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt 1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe 63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe 2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe 6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe 9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat 92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat 428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe 89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar 376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat 7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe 4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe Toggle panel: Authors Click on an author to change them. Drag to change their order. Click on Remove to remove them. Daniel GoldbergDaniel Goldberg Remove Ofri ZivOfri Ziv Remove Search for an author Toggle panel: Yoast SEO Need help? Go Premium(Opens in a new browser tab) Content optimization Good SEO score Social Advanced Snippet Preview SEO title preview: The Bondnet Army - Guardicore Url preview:www.guardicore.com › 2017 › 05 › the-bondnet-army Meta description preview: GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the ... Mobile previewDesktop previewEdit snippet Readability analysis Needs improvement Focus keyphrase Good Bondnet Add related keyphrase Cornerstone content Toggle panel: Excerpt Excerpt GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions. Excerpts are optional hand-crafted summaries of your content that can be used in your theme. Learn more about manual excerpts. Toggle panel: Discussion Allow comments Allow trackbacks and pingbacks on this page Toggle panel: Easy Modal Thanks for creating with WordPress and hosting with Kinsta Version 5.1 Text BlockX ContentColorsScreen Options Content Enter some content for this textblock Add MediaVisualText Paragraph P Font Size Size of the text in px Custom Css Class Add a custom css class for the element here. Make sure to only use allowed characters (latin characters, underscores, dashes and numbers) Element Preview Set preview background:Save Close media panel Add Media Filter by typeFilter by dateSearch Media Search media items... ATTACHMENT DETAILS Saved. Diag_3517-2.png February 23, 2019 2 MB 1459 by 1262 pixels Edit Image Delete Permanently URL https://www.guardicore.com/wp-content/uploads/2017/05/Diag_3517-2.png Title Diag_3517-2 Caption Alt Text Description Required fields are marked * Copyright ATTACHMENT DISPLAY SETTINGS Alignment Link To Size 1 selected Clear Insert into post

Output of a command on an infected machine

To remove it, run the following commands. Note that the first two commands remove the Event callbacks and the third command removes the WMI provider instance; the last two commands  remove the class object, preventing an easy return.

gwmi -Namespace “root/subscription” -Class __EventFilter | where name -eq “EF” | Remove-WmiObject

gwmi -Namespace “root/subscription” -Class __EventFilter | where name -eq “EFNMdr” | Remove-WmiObject

gwmi -Namespace “root/subscription” -Class ASEventConsumerdr | Remove-WmiObject

$query = “SELECT * FROM meta_class where __class = ‘ASEventConsumerdr'”

Get-WmiObject -Query $query -Namespace “rootsubscription” | where Name -eq “ASEventConsumerdr” | Remove-WmiObject

Miner

To locate the miner, check for the existence of a scheduled task with a short name, either “gm”, “ngm” or “cell” that runs a batch script. If detected, remove it along with the miner directory.

You can also filter suspicious tasks with the following two commands

SCHTASKS /Query /V /FO LIST /TN gm

SCHTASKS /Query /V /FO LIST /TN ngm

SCHTASKS /Query /V /FO LIST /TN cell

In some cases the batch script that runs the miner is executed directly by the trojan (without a scheduled task). To kill it, look for one of the miner’s possible process names in the process list.

Backdoor User

If prior steps have shown your machine is compromised, inspect the following as well:

  • Guest account: If you are not using your Guest account reset its password and disable it. If you are using it, reset your password.
  • Unknown local users: Make sure there are no unknown local users, particularly users under the Administrators security group, for example we’ve observed parts of the botnet adding a user named “webadmin”.  
  • RDP connections: To complete the cleanup, make sure that RDP connections are disabled unless required. To determine whether RDP connections are disabled, check the registry key using the following command:

reg query  “HKLMSYSTEMCurrentControlSetControlTerminal Server” /v  fDenyChildConnections

If the value is 0, RDP connections are enabled.

Summary

In this campaign, the attacker’s objective  is to mine cryptocurrencies, a task which requires large amounts of CPU/GPU power. This is why our attacker focus on servers, rather than the more easily attacked consumer IoT devices. While the practice of Bitcoin mining has shifted to large commercial vendors (particularly in China), it’s still profitable to privately mine alternative cryptocurrencies. Especially if you’re not paying for power.

Building an attack infrastructure on top of victim machines helps conceal the attacker’s true identity and origin of the attack. It also provides high availability infrastructure, which is very helpful when relying on compromised servers, in case one of the servers fails or loses connectivity to the internet.

While organisations can treat this as an issue of increased electric bills which can annually result in additional costs of 1000-2000$ per server, this may only be the beginning. With relatively simple modifications the Bondnet can use its complete control over compromised organization servers, many of which contain sensitive information, to spread evil and perform other illegal actions. Today’s mining may easily become a ransomware campaign, data exfiltration or lateral movement inside the victim’s network.

If you want to make sure your machines are not infected, download our free detection & cleanup tool below.

.

Fill in your details to get the detection & cleanup tool


Appendix – Network IoCs

In all infection vectors known to us, all of the following IPs are used at different stages of the attack. These are all legit servers under the attacker’s control, hosting the attacker’s custom web server on different ports (4000 and 8080).

DNS – mst.mymst007.info

IP Address Type
203.113.10.12 Attack machine
122.204.161.241 Attack machine
112.53.74.38 Attack machine
59.3.127.132 Command and control
211.238.181.106 Command and control
190.7.109.20 Command and control
162.248.241.98 Command and control
158.85.244.196 Command and control
154.58.200.234 Command and control
122.144.133.35 Command and control
113.193.10.247 Command and control
220.171.1.36 Command and control
219.146.77.76 Miner repository
216.151.217.142 Miner repository
211.72.242.94 Miner repository
207.58.148.138 Miner repository
123.140.250.150 Miner repository
117.34.117.55 Miner repository
115.146.122.254 Miner repository
187.28.38.3 Miner repository
122.227.176.86 Miner repository
50.207.71.22 Miner repository
72.167.201.140 Inactive
69.90.114.185 Inactive
47.90.206.226 Inactive
222.185.247.246 Inactive
203.236.80.38 Inactive

In addition, unless you have an explicit reason to opt in, you should block traffic to all cryptocurrency mining pools in this list.

  • minergate.com
  • miner.center
  • shscrypto.net
  • cryptonight.net
  • democats.org
  • cryptmonero.com
  • cryptmonero.com
  • riepool.ovh
  • flypool.org
  • nanopool.org
  • suprnova.cc
  • minergate.com
  • minexmr.com
  • crypto-pool.fr
  • dwarfpool.com

Appendix – File IoCs

The following files are written or downloaded as part of the attack. Several of them have shifting file names and some are archives that contain more files.

In addition, the following file names are indicative of compromise.

%windir%wb2010kb.log – Indicative of compromise by the initial stage of any infection vector

%windir%tempdfvt.log – indicative of compromise by the MOF file (more interesting)

Attack files

Hash Path
2C86F79A3AE1D70F156E58EBE96EE53EC57D2CCD33D80B6E1E2E30B53552F585 xstc.tmp
1629E3C0B572604BCA584DD2B91DF55F6B8C3B60BC21A45DBABE97B975B5F06E zzxc.tmp

Also known as xz.zip
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 cnmofb.zip
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 usmofb2.zip
5FD1CFF5505B46420CA92B8512A5435B5FA42D44BA6693994344319C38737CE0 dlveaz.zip
25B6B320AEF0148B00AE71EB5FDB0E9DC77D7DA6BC7B96A74BDD4CED37A1B8CC gg.rar
BBF16C1667E333093710D8A7F07CAF60367BB5BF94E1AC0E6FB9BA5B02A5F7DE ie.rar
36CC9BF0492DA4FAA694A206A5682E74458E1D150A5F2D0D06C130F694E38550 ist.zip
129CDA65B2EFA0CDC63DB2B353467372CF553490242507BE1B454208DD2415C9 mat.zip
428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 rar.zip
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 amof
7020B0AE1B15416C517B235378F0E6EA4477434A3D528DF7FBC8D40EE6A82AFA az.7z
B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf

Miners

The miner executables themselves change frequently but keep the same names, listed here

  • smssm.exe
  • msdc.exe
  • z64.exe
  • servies.exe
Hash Path
37776E3129CA205FD85DD5BF124B9BFEBE22B9232EAA7E06A6F5E109ADB408CC 323.rar
9E9DFEA4D777E8261B86579C9BBC1C591AE99A259E546AF3ED5860763514F6B3 323.rar
3FBF476CA428B4D2CD9F6A49492A84228766356B891461DA5534C39D4DE23E6C 64.rar
D4986E3E9BF93CC0893381AFA9D6824948E79127831CDB3D213044B1B630F28A 64.rar
91DAB62781ED28A97EF2153F0CABF9BBE0BF960CE1E02BD9C5AFD3162169986C 643.rar
FBC31C1ECC06428D5FA165146F6139A7C86EAC799C2B60263809DD1AFD653254 643.rar
40C0BD3A3CF327E2C56595FC31F1A31098404FBEA30DFF6978B49FA8184F1758 64m.rar
B596C687138077C5C6BB28FDA53DDEB9B354C2F3C085A80A9629BD2968F881FD az.7z
01AFA1722D0F30EAE8125AD994FD8C4CF3FB1DD49CB161534911267A3F8ED864 azmf
26059C67E2F07D75CE0874E496B2ED77FA77C32141A7E897275AC87298D01406 bl.zip
D2AB6A15511AFBD1CB7348CA76107C07CFB558DCDC67F493FB01482DCF425141 dl2.zip
710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz
EFFE75D5F5F07C0388153899B8EC73663202C975539FB170447D4616A1EFC2C5 H64.rar
822C30FFECBDC00E770FE17BD463AD0533309BFD6B3FEE405F27B405605DF21F H64.rar
25953F6BC86A29351F7765EAAB384ED3C97220F13E3C3C014D99B89393A3EC30 H64b2.rar
F5FDEF1CE9AB393C4BB2B2409BE43AB7AA892C09B7029167D4EC22F68CB5D271 H64m.rar
3C753EDA875714A0D67D5BA0C26B58526C8D454CC6B0F97F61BE64BAE0E708EC H64m2.rar
B89CFBD33E5ADBA45746D350D4BBA5D07E2D64B406E035FCCC19137C5E3AECB1 H64m3.rar
7CD21E65D78C5B86C73F9FA8C0AF911B76F0120FC1331CC638FB470637A16CAB st2b3.rar
469CF3AD1E65A2685E279B00C374EF74BDDD75DCD14FBDDEED3181F1EF2B44B8 kit.bat
BE19BDC4B304E1AC9DE6739F97C3AA0E90884D9B673F33701B5C7713707FB186 kit.bat
F1FEAB43D8FA26317C798BD36D861266093C5FD2A54E47B17096249AC4E028F1 kit.bat
18384F3132D3CBF923CC408D6E897978BA0FE81A3DF93EE50E176514F0D02E44 kit.bat
0CA02DB71A257403E2A39777614F7C46B67F219CF368F89F083ABED37B228C74 kit.bat
3473CAFE48140076892C009B0FC95A1B5E7B7963891DC1862E80E9F103A999E8 go.bat
111BD8F080EAC84719EBD17448D8557124EF497A9A60EF6FE81E877CCB27CC34 go.bat
15F2906B63BD899A1657A34B4CF65EB18A342848F6579E8495CDA54E998BA164 mall.tar.gz
710348D7A19F7C1E38DBC5225067804F16748455A1F0854EC17B76A8F3578E3B my.tar.gz
05FF3DD3FF48D182396AE2C41DD69BCBC2A8B66B84DE91215AD201A4CC386C2D PsList.dll
DF33D1752FF5DD3F9D295A51EA81228EF3F56FF42566E39DF5CAE23B52FE6B51 mstxmr
AE8B8C41596081B6D960DB6C33910C1AE7BF2BA237A28CC9E49B497B47442F2B msdc.exe
C44500C2909E6B9C71852E7DAD5C6F019EB69FE0B881581FE72F06C7410D21CA msdc.exe
785D97C2C215C3C0B76C11610680F04236EF1A5C7FBCF4A86FB5F89996858B78 msdc.exe
18A2F191DB62CC45601981180E6263C46657F537E0842CBC350A47EFAA775178 msdc.exe
1A89152C95AB3C655F6E70EE799A7AB5AB65282F51D50769AF3633FACA26B586 msdc.exe
34A487FA8934DDAF4CC1DF6366360B10BFD4DEAC1891851FEBE94C171C88D649 pools.txt
1134A18D4C09F377F874053D29E4905163A961A0C8ED0638FEFF896440DEAD8A servies.exe
B687EF3A0A6E356ECEE1A8ABF1FD0CBE2E207DB3D38E7F09E94DB6B25C28B607 servies.exe
C3900CBBBC2BAAFDDC161518ACA006E1070EB496D7C573C4E6EA7053CFAACC30 servies.exe
63924483075EA94FBB30076AA3E30D6AB9B4DC9DE818EC9744C8F3281347938A smss.exe
2DAAAC537D577AF353BF71CF465C4E8B1A19EA7BA1EEC09B9A04789841E2BAEF smss.exe
6DB898604799DD36A1FCA498743BA293747FD7B0FEBC41ABC29A12DBE5053C6E smss.exe
9E0ECE6865AE3C6DB35EA96356F025CAF257CE5F9A87B9DEC2C76EE60B477EE2 sst.bat
A1F041A28EB6CBED11D2C34D7A463BA75CA453303692369FE00E6AD5038C5866 sst.bat
92E979CEF1F1D5317529D4E433AEFF433FF701E49C915231E0896C1384145998 sst.bat
428D06C889B17D5F95F9DF952FC13B1CDD8EF520C51E2ABFF2F9192AA78A4B24 un.rar
E0630FB9582C9274739DB250260A612C868E8D4DD29993E6D632A7044B3EDEBB z64.exe
89ED392AC3E00AE7D899077C5CB4C789605229C718479B9FF4065C21DC7A8019 zectst.rar
376D64AB957AD955BB969321D76545387BBF9208238D069B09AF22B0471D5E44 zt.bat
7374051E75AE97BA687CD153927FACCD21FCDCC0B41A42867D38AC62064F6ABA csrss.exe
C1FEE6F3375B891081FA9815C620AD8C1A80E3C62DCCC7F24C5AFEE72CF3DDCD csrss.exe
4E3E2841D4166E394E0D19307E898879793BCB244E1AC6ECBB472B848FF760C1 csrss.exe
11 replies
  2. eric
    eric says:

    Thanks for sharing!! I ran the tool and was infected on my Windows server 2008 R2. I cleaned the infection, however at 11pm once again the guest account got re enabled! Any further suggestions?

    Thnaks, Eric

    Reply
    • Daniel Goldberg
      Daniel Goldberg says:

      Hey Eric,
      The Guest account was reactivated is down to the WMI trojan still functioning. Every day at 11PM it will run and reinfect your machine.

      In order to remove it, you can download the cleanup script we provided (using the form in this post) or manually perform all the steps provided in the post.

      Hope this helps

      Reply
  3. Massimo
    Massimo says:

    the tools only detect if the log file is present. if you rename the logfile it says system is clean. but the wmi malware is still there.
    i found it with these powershell commands :
    find the scheduled task
    Get-WmiObject -Class __EventFilter -ComputerName . -Namespace ROOT\DEFAULT -filter “Name=’Power'” | Select-Object * -ExcludeProperty PSComputerName, Scope, Path, Options, ClassPath, Properties, SystemProperties, Qualifiers, Site, Container | Format-List -Property [a-z]*
    find the malware source code (vbs)
    Get-WmiObject -Class __EventConsumer -ComputerName . -Namespace ROOT\DEFAULT | Select-Object * -ExcludeProperty PSComputerName, Scope, Path, Options, ClassPath, Properties, SystemProperties, Qualifiers, Site, Container | Format-List -Property [a-z]*

    remove the scheduler & malware :
    gwmi -namespace root\default -class __eventfilter | where {$_.name -eq “Power”} | remove-wmiobject
    gwmi -namespace root\default -class __eventconsumer | where {$_.name -eq “Power”} | remove-wmiobject
    gwmi -namespace root\default -class __filtertoconsumerbinding -Filter “Filter = “”__eventfilter.name=’Power'””” | remove-wmiobject
    these queries were found on rich kreider web site

    regards
    Massimo

    Reply
    • Daniel Goldberg
      Daniel Goldberg says:

      Thank you for your comment,

      Our script does not just detect the log file but also checks for the WMI persistence. Maybe you’re seeing a new variant? Could you send the VB code you’re running into?

      Daniel

      Reply
  5. Alex
    Alex says:

    Thank you for this awesome investigation! You and Rich Kreider’s site helped me in my fight against this crypt currency miner!
    He and the fellows in his blog (https://kreider.io/tech/cpu-miner-installed-via-windows-os-vulnerability/ ) found similar WMI instance (ActiveScriptEventConsumer.Name=”PowerLog”).

    Here is what Mike wrote (https://kreider.io/tech/cpu-miner-installed-via-windows-os-vulnerability/#comment-25):

    Here are the steps I followed to delete this script:
    1) Go to Start –> Run –> and enter “WBEMTest” to start the “Windows Management Instrumentation Tester” application.
    2) Check the “Enable All Privileges” check box.
    3) Click the “Connect…” button.
    4) Enter “rootdefault” in the “Namespace” box and click the “Connect” button.
    5) Click the “Enum Instances…” button and enter “ActiveScriptEventConsumer”.
    6) Click “ActiveScriptEventConsumer.Name=”PowerLog”” in the list of results and click the “Delete” button.
    7) Click the “Close” and “Exit” buttons to shut down the application.

    Reply
    • Tatiane
      Tatiane says:

      Hello, Alex.

      After the deletion, did the server have a problem?

      I followed his steps but I fear to exclude and cause some impact on the server.

      Thanks.

      Reply
    • Daniel Goldberg
      Daniel Goldberg says:

      Hello Alex and Tatiane,

      You’re right and we’ve been seeing newer variants of this attack come up with both new exploits (for the attacker) and a different C&C infrastructure. These links provide good examples.

      If we want to be generic, the important thing is to run the same steps we provide but without filters and manually find the new event consumers and delete them.

      Daniel

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

LATEST POSTS
Highlights of BlueHat Israel 2019
A vulnerability in Debian’s apt allows for easy lateral movement in data centers
‹ Back to Guardicore Labs