BONDUPDATER

BondUpdater is a malware first discovered by FireEye in mid-November 2017, when APT34 targeted a Middle Eastern governmental organization. This PowerShell-based Trojan is associated with other malicious programs such as POWBAT and POWRUNER. BondUpdater contains basic backdoor functionality that allows threat actors to upload and download files and execute commands. One of its distinctive features is the use of DNS tunneling to communicate with its Command and Control (C2) server. It was initially delivered via a malicious .rtf file exploiting CVE-2017-0199 but has since evolved to leverage the Microsoft Office vulnerability CVE-2017-11882 for deployment. In its latest campaign, APT34 used this updated version of BondUpdater, which now includes the ability to use TXT records within its DNS tunneling protocol for C2 communications. The new variant was observed in several attacks against another Middle Eastern government during the past month. The "AppPool.ps1" file, a variant of the BondUpdater payload, uses a custom Domain Generation Algorithm (DGA) to create subdomains for communication with the C2 server. The malware also evaluates the last character of the file name and performs corresponding actions based on it. As early as July 2017, APT34 used BondUpdater and POWRUNER to target Middle Eastern organizations. In one instance, a FireEye Web MPS appliance detected and blocked an attempt to retrieve and install a downloader file for these two malwares. The BondUpdater script, named based on the hardcoded string “B007”, generates subdomains using a custom DGA. Depending on the IP address resolution, BondUpdater will take certain actions, such as creating a temporary file in the %temp% location.