Hackers are using powerful bots to launch massive automated attacks, and it’s a big problem. But these heavy bots are turning Into masses of automatic botnets that are powering the largest automated DDoS attacks ever seen on the Internet.
These bots can easily wreak havoc on systems, pilfer data, and carry on full-blown cyber operations that are virtually supported by human intervention.
Recently, cybersecurity experts at ASEC found that a group called Bondnet has been using these high-performance bots to control their C2 (Command and Control) servers.
Technical Analysis
But Bondnet, the threat actor that has been spreading backdoors and mining crypto since 2017, also had a few new tricks up its sleeve.
Bondnet uses the fast stolen systems as command and control servers, configuring reverse RDP environments on them, the ASEC researchers wrote.
This involved a modification of an open-source, high-performance reverse proxy (FRP) tool, embedding the attacker’s proxy server details.
This was performed by the provision of a reverse RDP using FRP on the targets, and Bondnet installed other tools on the victims, like the Cloudflare tunneling client, to maintain the hold of the compromised valuables.
Cloudflare tunneling client is one of the attempts Bondnet threat actors used to connect a service on the compromised target with their C2 domain after registering a C2 domain on Cloudflare.
One of the applications executed was HFS, which provided a file server service on TCP port 4000. The software’s architecture resembled this threat actor’s Command and Control infrastructure.
The HFS Golang program encountered environmental issues, which made it impossible to observe how the system could have been changed into a command-and-control one.
However, strong evidence indicates that Bondnet wished to exploit high-speed compromised systems as part of their C2 infrastructure via this tunneling means.
Bondnet, a threat actor, linked compromised targets with the Cloudflare tunneling client and HFS program to associate system services with the Cloudflare-hosted C2 domain.
They might have intended to convert high-performance bots into their C2 infrastructure via reverse RDP connections.
No data exfiltration or lateral movement was detected, although similarities between the HFS program UI and the actor’s C2 suggested its expected use.
During analysis of this system, it turned out that the HFS program did not work properly.
Some months later, the actors’ C2 UI changed, with new malicious files appearing and those that were deleted previously being restored, suggesting that they may have used another compromised bot using different tooling after facing issues while turning the initial target into a C2 node.
IOCs
MD5s:
- D6B2FEEA1F03314B21B7BB1EF2294B72 (smss.exe)
- 2513EB59C3DB32A2D5EFBEDE6136A75D (mf)
- E919EDC79708666CD3822F469F1C3714 (hotfixl.exe)
- 432BF16E0663A07E4BD4C4EAD68D8D3D (main.exe)
- 9B7BE5271731CFFC51EBDF9E419FA7C3 (dss.exe)
- 7F31636F9B74AB93A268F5A473066053 (BulletsPassView64.exe)
- D28F0CFAE377553FCB85918C29F4889B (VNCPassView.exe)
- 6121393A37C3178E7C82D1906EA16FD4 (PstPassword.exe)
- 0753CAB27F143E009012053208B7F63E (netpass64.exe)
- 782DD6152AB52361EBA2BAFD67771FA0 (mailpv.exe)
- 8CAFDBB0A919A1DE8E0E9E38F8AA19BD (PCHunter32.exe)
- 00FA7F88C54E4A7ABF4863734A8F2017 (fast.exe)
- AD3D95371C1A8465AC73A3BC2817D083 (kit.bat)
- 15069DA45E5358578105F729EC1C2D0B (zmass_2.bat)
- 28C2B019082763C7A90EF63BFD2F833A (dss.bat)
- 5410539E34FB934133D6C689072BA49D (mimikatz.exe)
- 59FEB67C537C71B256ADD4F3CBCB701C (ntuser.cpl)
- 0FC84B8B2BD57E1CF90D8D972A147503 (httpd.exe)
- 057D5C5E6B3F3D366E72195B0954283B (check.exe)
- 35EE8D4E45716871CB31A80555C3D33E (UpSql.exe)
- 1F7DF25F6090F182534DDEF93F27073D (svchost.exe)
- DC8A0D509E84B92FBF7E794FBBE6625B (svchost.com)
- 76B916F3EEB80D44915D8C01200D0A94 (RouterPassView.exe)
- 44BD492DFB54107EBFE063FCBFBDDFF5 (rdpv.exe)
- E0DB0BF8929CCAAF6C085431BE676C45 (mass.dll)
- DF218168BF83D26386DFD4ECE7AEF2D0 (mspass.exe)
- 35861F4EA9A8ECB6C357BDB91B7DF804 (pspv.exe)
URLs And C2s:
- 223.223.188[.]19
- 185.141.26[.]116/stats.php
- 185.141.26[.]116/hotfixl.ico
- 185.141.26[.]116/winupdate.css
- 84.46.22[.]158:7000
- 46.59.214[.]14:7000
- 46.59.210[.]69:7000
- 47.99.155[.]111
- d.mymst[.]top
- m.mymst[.]top
- frp.mymst007[.]top
Found this news interesting? Follow us on Twitter and Telegram to read more exclusive content we post.
