Bondnet Using High-Performance Bots For C2 Server

June 18, 2024, 12:09 a.m.

Description

Security researchers at ASEC have discovered that a threat actor is using high-performance bots to turn compromised systems into their central server (C2) servers, using tools such as the Cloudflare tunneling client.

Date

  • Created: June 17, 2024, 11:42 p.m.
  • Published: June 17, 2024, 11:42 p.m.
  • Modified: June 18, 2024, 12:09 a.m.

Indicators

  • ea7865aad2dd4b8d4de6711699a79b3faf32b8019eb7b01bd7359df589bb73a2
  • 50d1b32cf53fe1b0822d2606aa397743d6069785ba0b03a3cad52e63f84c90a8
  • 1e2e566871e5e2d6b37ed00747f8ecd4c7098d39a2fdc8f272b1ff2962122733
  • de374c1b9a05c2203e66917202c42d11eac4368f635ccaaadf02346035e82562
  • bc12d3944a21898a2184c190b1ccf141aa38a2ec37f168ff9711e37296afe87c
  • 9ac07d483ed3e055f48dbf031889e51e055bddf16058abb0239af1f0a9cb15dd
  • 9933bd1c96391353eea9986844d283c066d290e3a57df8a4871b4ddc41408d76
  • 90b5cd03b6de6584d47f5ab2d9cbd3eed3ed68d7db4e806b1e327d59ec0a6cde
  • 8ef1fa3f0ce9bb29a5a676a0ca7af67dc554617a8595b1043d1eb9176c248934
  • 8c57b97b04d7eabbae651c3400a5e6b897aea1ae8964507389340c44b99c523a
  • 82dd3926a416016bb5747eab624285c5013ce8ea5a8ae017027bd5c8181d3174
  • 64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c
  • 5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6
  • 4de048ad33f0a710a226d193f92f20417da5ba3628f79b0e25cbe83b0c979fc0
  • 26a3395a4115355e897a7daf04551eba5e62da661d8dbae7c99205a2e74d24ba
  • 1e5a90b5dcd4768964454cdf659620f5939464c6073f1dfc5d9306a869b609d1
  • 0a5be1c9541e0fadce5f1928d3bb95367baef9ce59d487688662b100e88aabf5
  • e71cda5e7c018f18aefcdfbce171cfeee7b8d556e5036d8b8f0864efc5f2156b
  • 816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019
  • 7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26
  • 205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964
  • http://84.46.22.158:7000
  • http://46.59.214.14:7000
  • http://46.59.210.69:7000
  • http://185.141.26.116/winupdate.css
  • http://185.141.26.116/stats.php
  • http://185.141.26.116/hotfixl.ico

Attack Patterns

  • T1021
  • T1102
  • T1090