OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Palo Alto Networks Live Community provides details on a current security threat from a middle eastern hacker group known as OilRig. Read more on how OilRig targets government organizations and the hack methods they could be using to access information. Join the discussion with other security professionals on Live Community.




The OilRig group has been active since at least mid-2016, and continues their attack campaigns throughout the Middle East, targeting both governmental agencies and businesses on an almost routine basis.


In August 2018, Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER. The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. During the past month, Unit 42 observed several attacks against a Middle Eastern government, leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.


In mid-August, the OilRig threat group sent what appeared to be a highly targeted phishing email to a high-ranking office in a Middle Eastern nation. The spear-phishing email had an attached Microsoft Word document that contained a macro responsible for installing a new variant of BONDUPDATER.


Spear phishing email sent by the OilRig threat groupSpear phishing email sent by the OilRig threat group
OilRig is a highly diverse and very resourceful threat actor, employing a litany of methods and tools to compromise victims, but Palo Alto Networks customers are protected from this OilRig attack and BONDUPDATER by:


  • AutoFocus customers can track this Trojan with the Bondupdater_Docs tag
  • All known BONDUPDATER document samples are marked with malicious verdicts in WildFire
  • All known BONDUPDATER document C2 domains have DNS signatures and are classified as Command and Control

Find out more about this specific threat on the UNIT 42 blog.


-Kiwi out!

  • 325 Subscriptions
Register or Sign-in