The OilRig group conducted at least one attack campaign containing an updated variant of the BONDUPDATER trojan as its final payload.
In August 2018, Palo Alto Networks’ Unit 42 threat research team detected an OilRig campaign targeting a high-ranking government organization in the Middle East. The email campaign leveraged spear-phishing, one of the most common types of phishing. The attack emails themselves contained no subject and came with a attachment named “N56.15.doc.”
Embedded in that Microsoft Word document were malicious macros that created two files: “AppPool.vbs” and “AppPool.ps1.” The VBScript executed AppPool.ps1, a PowerShell script which was actually a variant of BONDUPDATER.
First discovered by FireEye in mid-November 2017, BONDUPDATER is a trojan that functions as a backdoor by allowing digital attackers to upload and download files as well as execute commands. Like other OilRig payloads, BONDUPDATER uses DNS tunneling to communicate with its command-and-control (C&C) server. But this version is different than previous variants of the trojan in that it uses a series of DNS TXT queries to obtain files from the C&C server. The new variant of BONDUPDATER also comes with a lock file that’s useful for verifying whether more than one instance of the trojan is running on the infected machine and for determining how long the PowerShell process has been running.
Ultimately, BONDUPDATER saves files in its “sendbox” and sends them to its C&C server. It then terminates and waits for its scheduled task to run again in the future.
Unit 42’s Kyle Wilhoit and Robert Falcone explained in a blog post that the new BONDUPDATER variant is a testament to OilRig’s dynamic character:
As expected, OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East. Sometimes developing new tools, OilRig also often uses what has worked in the past, including developing variants of previously used tools and malware. This reduces development time and capitalizes on previous versions of the tool and its success.
Organizations can protect themselves by monitoring for the IoCs associated with the updated trojan.