The BondUpdater Trojan is a dangerous weapon used against high-profile targets utilizing an unique infection mechanism. It is believed that the criminals behind it are highly experienced and are connected to a state-sponsored actor. Our article gives an overview of its behavior according to the collected samples and available reports, also it may be helpful in attempting to remove the virus.
|Short Description||The BondUpdater Trojan is a computer virus that is designed to silently infiltrate computer systems.|
|Symptoms||The victims may not experience any apparent symptoms of infection.|
|Distribution Method||Freeware Installations, Bundled Packages, Scripts and others.|
|Detection Tool|| See If Your System Has Been Affected by BondUpdater Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss BondUpdater Trojan.|
BondUpdater Trojan – Distribution Methods
A new Trojan called BondUpdater has been identified to be spread by a hacking collective called OilRig. This group is believed to have ties to Iran is also known under various other names: Cobalt Gypsy, Crambus, Helix Kitten or PT34 became famous with its large-scale attacks against high-profile targets. It is reported that the hackers may be a state-sponsored group that is allied with the Iranian intelligence agency.
The BondUpdater Trojan is primarily distributed using SPAM email messages that appear as being sent by a legitimate sender. The hackers will spoof the credentials, layout and design elements in order to coerce the users into interacting with the dangerous contents. The targets are reported to be a “high-ranking office” located in a country in the Middle East. We have information about a campaign that makes use of macro-infected documents. The criminal collective embeds the malicious code into documents of all popular types: presentations, rich text documents, databases and spreadsheets. Once they are opened a prompt will appear asking the users to enable the built-in macros. If this is done the infection follow.
The analysis shows that the scripts will download and execute a PowerShell based payload dropper.
The fact that the hackers rely on a social engineering technique gives them the ability to use other related techniques in future or supplementary campaigns. Examples include the following:
- Fake Download Sites — The email messages can redirect to a counterfeit download that may appear as a legitimate vendor site or a famous Internet portals.
- Script Redirects — Various web elements can redirect the users to the download pages from where the BondUpdater Trojan can be acquired. Examples include banners, pop-ups, in-line links and ads.
BondUpdater Trojan – Detailed Description
As soon as the PowerShell dropper is started it will download the other modules necessary to execute the infection. It has been found to run for no more than 10 minutes, afterwards it will pause before running once again if required.
The captured samples have been found to download the main Trojan executable which will set up a secure connection to the hacker-controlled server. The network analysis shows this malware instance uses a very flexible approach to controlling the infected hosts. Among its features are the following characteristics:
- Two DNS Tunneling Variations — The BondUpdater Trojan has been found to contain two variations of code that uses the DNS tunneling protocol. The first one relies on DNS A records while the second one uses DNS TXT records.
- Custom Action Types — Depending on the specific victims conditions several different behavior patterns will be started.
- Additional Commands Arsenal — The security analysts state that this Trojan is particularly useful when infecting high-profile targets.
The analysis reveals that there is an interesting mechanism that is unique to this Trojan family — the command interpreter will check the file name of the TXT instruction files — a “1” value will instruct the engine to download file while “0” will run it. The fact that the communications can happen via the text files shows that it is unlikely that a signature-based analysis or automated security defenses can detect infections.
We presume that once the criminal controllers take over control of the infected systems they will initiate a series of hacker tactics. Usually one of the first modules that are launched is the data extraction one. It will automatically search the system for any strings that can expose the victim’s identity — their names, address, location, interests, phone number and any stored account credentials. The collected information can then be used for crimes such as financial abuse and identity theft. Other information that can harvested during this process includes one that may be used for campaign metrics — a report on the installed hardware components, user settings and operating system conditions.
It is very possible that the BondUpdater Trojan will also install itself as a persistent threat. This means that it will be set to automatically start once the computers are powered on. A related modification is the fact that such infections usually disable user-installed applications and system services. Another side effect is the inability to boot into the recovery boot menu.
Windows Registry modifications are also expected. The Trojan engine can create values for itself or modify already existing ones. If string belonging to the operating system are modified then the overall performance may drop. Changes to individual applications can disable certain functions.
Remove BondUpdater Trojan Trojan
If your computer system got infected with the BondUpdater Trojan Trojan, you should have a bit of experience in removing malware. You should get rid of this Trojan as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the Trojan and follow the step-by-step instructions guide provided below.
Note! Your computer system may be affected by BondUpdater Trojan and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of BondUpdater Trojan.