BONDUPDATER

BONDUPDATER is a PowerShell-based downloader/remote-access trojan associated with the Iranian threat group OilRig (APT34). Reporting in the provided content places its use as early as mid-2017, including campaigns against Middle Eastern government and other regional targets, and describes it as part of OilRig’s broader arsenal alongside tools such as Helminth, ISMAgent, LIONTAIL, and TONEDEAF.

The malware is used for sustained access and post-compromise operations. Documented capabilities include command-and-control over DNS, use of a custom domain generation algorithm to generate subdomains for C2 communication, downloading and uploading files, and reading batch commands from a file sent by the C2 server and executing them via cmd.exe. The content also states that different versions of BONDUPDATER function as a remote-access trojan/downloader and that OilRig used it in operations involving credential theft, lateral movement, intelligence collection, malware deployment, and document exfiltration.

BONDUPDATER uses stealth and persistence mechanisms centered on PowerShell. It is described as using PowerShell with -windowstyle hidden to conceal the download window, and it persists via a scheduled task that executes every minute. In one documented infection chain attributed to APT34/OilRig, a malicious RTF exploiting CVE-2017-11882 led to mshta execution, retrieval of additional scripts, and installation of scheduled-task persistence that launched VBS and PowerShell payloads every minute from C:\ProgramData\Windows\Microsoft\java. In that chain, dUpdateCheckers.ps1 was identified as the BONDUPDATER component.

The content specifically notes DNS tunneling behavior. Early variants used DNS A queries via System.Net.Dns GetHostAddresses and created a unique system identifier from the first 12 characters of whoami output, with beacon subdomains ending in B007 plus the C2 domain. Early variants received a filename via an IPv4 answer beginning with 24.125 and used the last digit of the filename to determine whether to execute PowerShell commands directly or write content to .ps1 or .vbs files; IPv4 11.24.237.110 was used as a termination signal. Updated variants could use raw sockets via System.Net.Sockets.UdpClient and both A and TXT records for C2. The updated version could be instructed by IPv4 99.250.250.199 to switch to an alternate TXT-based DNS tunnel, and TXT responses contained control instructions such as N, S, S000s, E, and C to govern filename creation, base64 decoding, writing data, and canceling communications. Separate reporting in the content also states BONDUPDATER can use both A and TXT records within its DNS tunneling protocol.

Observed infection vectors in the provided material include spear-phishing with malicious RTF attachments exploiting CVE-2017-0199 and CVE-2017-11882. The content ties BONDUPDATER to OilRig targeting across sectors including government, financial, energy, chemical, and telecommunications, largely in the Middle East, with one explicit reference to use against a Middle Eastern government. Additional context from leaked OilRig tooling described variants of BondUpdater under the names PoisonFrog and Glimpse.

High-confidence indicators and artifacts directly mentioned in the content include the scheduled task executing every minute; use of -windowstyle hidden; DNS A and TXT record C2; beacon subdomains ending in B007; IPv4 markers 24.125.* for filename delivery, 11.24.237.110 as a termination signal, and 99.250.250.199 to trigger TXT-mode communications; and filenames/paths from one campaign including dUpdateCheckers.ps1, hUpdateCheckers.ps1, GoogleUpdateschecker.vbs, cUpdateCheckers.bat, and C:\ProgramData\Windows\Microsoft\java.