OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government

by on ‎09-13-2018 04:25 AM - last edited Tuesday by (5,522 Views)

The OilRig group has been active since at least mid-2016, and continues their attack campaigns throughout the Middle East, targeting both governmental agencies and businesses on an almost routine basis.


In August 2018, Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER. The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. During the past month, Unit 42 observed several attacks against a Middle Eastern government, leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.


In mid-August, the OilRig threat group sent what appeared to be a highly targeted phishing email to a high-ranking office in a Middle Eastern nation. The spear-phishing email had an attached Microsoft Word document that contained a macro responsible for installing a new variant of BONDUPDATER.


Oilrig_1-2.pngSpear phishing email sent by the OilRig threat group
OilRig is a highly diverse and very resourceful threat actor, employing a litany of methods and tools to compromise victims, but Palo Alto Networks customers are protected from this OilRig attack and BONDUPDATER by:


  • AutoFocus customers can track this Trojan with the Bondupdater_Docs tag
  • All known BONDUPDATER document samples are marked with malicious verdicts in WildFire
  • All known BONDUPDATER document C2 domains have DNS signatures and are classified as Command and Control

Find out more about this specific threat on the UNIT 42 blog.


-Kiwi out !


Ask Questions Get Answers Join the Live Community