{ "id": "9306f6b2-f81d-4637-a1fc-2902879dd394", "created_at": "2026-04-06T00:11:22.490927Z", "updated_at": "2026-04-10T13:11:41.412435Z", "deleted_at": null, "sha1_hash": "1b5a9d2194953f15cc8d716d2d20ba3ac800b708", "title": "OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 278685, "plain_text": "OilRig Uses Updated BONDUPDATER to Target Middle Eastern\r\nGovernment\r\nBy Kyle Wilhoit, Robert Falcone\r\nPublished: 2018-09-12 · Archived: 2026-04-05 14:19:02 UTC\r\nThe OilRig group has been active since at least mid-2016, and continues their attack campaigns throughout the\r\nMiddle East, targeting both governmental agencies and businesses on an almost routine basis. Often preferring\r\nhomegrown tools and malware, OilRig continually modifies their malware and tools to accomplish their\r\nobjectives. In August 2018, Unit 42 observed OilRig targeting a government organization using spear-phishing\r\nemails to deliver an updated version of a Trojan known as BONDUPDATER. BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern\r\ngovernmental organization.\r\nThe BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and\r\ndownload files, as well as the ability to execute commands. BONDUPDATER, like other OilRig tools, uses DNS\r\ntunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a\r\nMiddle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes\r\nthe ability to use TXT records within its DNS tunneling protocol for its C2 communications.\r\nA New Series of Attacks\r\nIn mid-August, the Oilrig threat group sent what appeared to be a highly targeted phishing email to a high-ranking\r\noffice in a Middle Eastern nation. The email had no subject and what initially drew our attention to this attack was\r\nthe content of the spear phishing email.\r\nFigure 1. Spear phishing email sent by the Oilrig threat group\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nPage 1 of 7\n\nAttached to the email was a malicious document named “N56.15.doc” (SHA256:\r\n7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00) which contained a macro that\r\nattempted to install a new version of the BONDUPDATER Trojan.\r\nFigure 2. Microsoft Word document with embedded macros and PowerShell\r\nUpdated BONDUPDATER\r\nThe spear-phishing email had an attached Microsoft Word document that contained a macro responsible for\r\ninstalling a new variant of BONDUPDATER. The macro begins this installation process by creating two files on\r\nthe system at the following location:\r\nC:\\ProgramData\\WindowsAppPool\\AppPool.vbs (SHA256:\r\nc0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322)\r\nC:\\ProgramData\\WindowsAppPool\\AppPool.ps1 (SHA256:\r\nd5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7)\r\nThe macro finishes by running the dropped VBScript \"AppPool.vbs\" file by running \"wscript\r\nC:\\ProgramData\\WindowsAppPool\\AppPool.vbs\". When first executed, the \"AppPool.vbs\" file will create the\r\nfollowing scheduled task to execute every minute, which provides BONDUPDATER persistence and the ability to\r\ncontinually run on the system as the Trojan does not have a main loop to carry out its functionality:\r\ncmd.exe /C schtasks /create /F /sc minute /mo 1 /tn \"\\WindowsAppPool\\AppPool\" /tr \"wscript /b\r\n\"C:\\ProgramData\\WindowsAppPool\\AppPool.vbs\"\"\r\nAfter creating the scheduled task, the VBScript will execute the \"AppPool.ps1\" script dropped by the macro using\r\nthe following command line:\r\nPowerShell.exe -exec bypass -file C:\\ProgramData\\WindowsAppPool\\AppPool.ps1\r\nSubsequent executions of \"AppPool.vbs\" will check for the existence of a file named \"quid\", which, if present,\r\nwill also use the above PowerShell script to run \"AppPool.ps1\". The PowerShell script creates the \"quid\" file upon\r\nits first execution to avoid creating multiple scheduled tasks.\r\nThe \"AppPool.ps1\" file is a PowerShell script that is a variant of the BONDUPDATER payload.\r\nBONDUPDATER, like other OilRig payloads, uses DNS tunneling to communicate with its C2 server. This\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nPage 2 of 7\n\nvariant of the BONDUPDATER Trojan has a new lock file, which involves creating a lock file at the following\r\nlocation which will write the current PowerShell process identifier (PID) to this file:\r\nC:\\ProgramData\\WindowsAppPool\\lock\r\nThe purpose of this lock file is to only have one instance of the Trojan running at one time. However, it also uses\r\nthis lock file to determine how long the PowerShell process has been executing, as it checks the creation time of\r\nthe file lock against the current time to determine if the PowerShell process has been running for more than ten\r\nminutes. If it has, the script will stop the process based on the PID in the lock file and delete the lock file. Future\r\nexecutions of the PowerShell script will fully execute as the lock file will no longer exist on the system. This\r\nsuggests the threat actors may have experienced issues with this Trojan running for extended periods in the past,\r\nlikely related to the communication loops that we will discuss later.\r\nThis BONDUPDATER variant also creates the following file that it will use to store a unique identifier for the\r\nsystem, which is generated by obtaining a random number between 10 and 99 and appending the first 8 characters\r\nof a generated GUID:\r\nC:\\ProgramData\\WindowsAppPool\\quid\r\nThe BONDUPDATER Trojan then creates several folders that it will use to store files it receives from the C2\r\nserver and files that it generates or gathers to send to the C2 server. The folder names are:\r\n C:\\ProgramData\\WindowsAppPool\\files\r\nC:\\ProgramData\\WindowsAppPool\\\u003cunique ID from quid file\u003e\\receivebox\r\nC:\\ProgramData\\WindowsAppPool\\\u003cunique ID from quid file\u003e\\sendbox\r\nC:\\ProgramData\\WindowsAppPool\\\u003cunique ID from quid file\u003e\\done\r\nEven though the script creates the \"files\" folder, it does not appear that the Trojan uses these folders within the\r\ncode. The Trojan uses the \"receivebox\" folder to store files obtained from the C2 server, while the \"sendbox\"\r\nfolder is used to store files that the Trojan will upload to the server. The Trojan uses the filenames of the file\r\nreceived from the C2 server stored in the \"receivebox\" folder to determine how to handle the file, which is\r\nexplained below.\r\nThe BONDUPDATER sample retains its original command handling and C2 communication functionality. This\r\nprocess involves communicating with the C2 server to receive a file and using a character in the filename as the\r\ncommand. The Trojan's command handler checks the trailing character of the filename to process the file contents,\r\nwhich can be seen in Table 1.\r\nTrailing\r\nCharacter/Command\r\nPurpose Description\r\n0 Execute\r\ncommand\r\nReads the contents of the file and runs them as a command with\r\n\"cmd.exe\". The output of the command is saved to a file whose\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nPage 3 of 7\n\nname starts with \"proc\" and is stored in the \"sendbox\" folder,\r\nwhich the Trojan will send to the C2 server.\r\n1\r\nDownload\r\nfile\r\nReads the contents of the file for a path to a file to download.\r\nCopies the specified file to a file in the \"sendbox\" folder for the\r\nTrojan to send to the C2 server.\r\nAny other character Upload file\r\nUsed to store a file on the system. The file is moved to the \"done\"\r\nfolder, which stores the file for future use. The Trojan writes\r\n\"200\u003c\u003e[path to stored file]\" to a file in the \"sendbox\" folder to\r\nnotify the C2 that the file was downloaded successfully.\r\nTable 1 Commands available in BONDUPDATER and their purpose\r\nAfter handling the command, BONDUPDATER will send files it saved in the \"sendbox\" folder to the C2 server,\r\nafter which it terminates and relies on the scheduled task to run again in the future.\r\nAs discussed above, the BONDUPDATER Trojan uses a DNS tunneling protocol to receive files from the C2\r\nserver for processing. This particular BONDUPDATER sample includes two different variations of the DNS\r\ntunneling protocol, one using DNS A records, and one using DNS TXT records to transmit data from the C2 to the\r\nTrojan. The use of TXT records for C2 communications appears to be a new feature to the BONDUPDATER\r\nTrojan.\r\nThe DNS tunneling protocol uses carefully crafted subdomains sent to the authoritative name server of the C2\r\ndomain, which in this specific sample was the domain \"withyourface[.]com\". The Trojan generates subdomains\r\ndifferently when it sends data to the C2 compared to when it is looking to receive data from the C2, regardless of\r\nwhich DNS tunneling protocol is used for communications. The format of the generated domains for both sending\r\nand receiving starts with the previously generated GUID created to uniquely identify the system. However, the\r\nTrojan inserts a part number value and an action type character into this GUID string at random offsets. The part\r\nnumber value is a three-digit string that corresponds to the chunk of data the Trojan is attempting to transmit. The\r\naction type is a single character that notifies the C2 the type of communication the Trojan is carrying out. The two\r\nstatic characters \"C\" and \"T\" in the subdomain surround two digits, which help the C2 server find the part number\r\nand action type mixed in within the GUID string at random offsets.\r\nSending data format\r\n\u003cGUID with part number and action character\u003e\u003csequence number\u003e\u003cbetween 1 and 7 random characters\u003eC\u003cindex\r\nof part number\u003e\u003cindex of action\u003eT.\u003cdata chunk\u003e.\u003cfilename\u003e.\u003cc2 domain\u003e\r\nReceiving data format\r\n\u003cGUID with part number and action character\u003e\u003csequence number\u003e\u003cbetween 1 and 7 random characters\u003eC\u003cindex\r\nof part number\u003e\u003cindex of action\u003eT.\u003cc2 domain\u003e\r\nDepending on whether the C2 communications use DNS A or TXT records, different action types are used when\r\ngenerating the subdomains to notify the C2 what format to use to respond. Table 2 shows action types used in\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nPage 4 of 7\n\noutbound requests and the purpose of the request.\r\nAction Type A/TXT Communications Description\r\nM A/TXT Initial beacon\r\n0 A Provide filename\r\n1 A Provide data\r\nW TXT Provide filename\r\nD TXT Provide data\r\nP TXT TXT method failed, notify C2 to switch to A records\r\nTable 2 Action types used within the DNS tunneling protocol and their purpose\r\nFor example, the Trojan will begin communicating with its C2 server by sending an initial beacon with the action\r\ncharacter \"M\". This initial beacon will follow the receiving format, as seen in the following example:\r\nFigure 3. Example domain for the C2 beacon with its format explained\r\nThe offset to the part number and action type in the GUID above may not seem correct at first, as the action type\r\ndoes not appear to be at offset 8 in the string. However, this is correct, as the action type is inserted at offset 8\r\nbefore the part number was inserted at offset 3. Therefore, we believe the C2 server just adds the two offsets\r\ntogether to find the actual location of the action type in the string.\r\nOriginal Data Transfer using DNS Tunneling\r\nThe original data transfer process within BONDUPDATER looked for specific A records within answers to DNS\r\nqueries, shown in Table 3. The Trojan processed the A records in the C2 response to obtain a filename, which\r\nspecifically looks for an IPv4 address within the A record with \"24.125\" in the first two octets. The Trojan appends\r\nthe remaining two octets of this A record to the string \"rcvd\" and uses this as the filename to save future data to in\r\nthe \"receivebox\" folder. This IP address also instructs the Trojan to treat following DNS A records as data. The\r\nfollowing DNS A records are split on the \".\" and each of the first three octets are treated as data, whereas the\r\nfourth octet is used as a counter to obtain the correct chunk of data. Lastly, the Trojan looks for the A record\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nPage 5 of 7\n\n\"1.2.3\" as a signal to write the provided data to the specified file, which is then subjected to the previously\r\nmentioned file-based command handler.\r\nIP Address Description\r\n24.125.\\d.\\d Sets the filename \"rcvd\\d\\d\" in the \"receivebox\" to store data for processing\r\n\\d.\\d.\\d.\\d First three \\d are treated as data and the fourth is used to keep track of the sequence\r\n1.2.3.\\d Instructs the Trojan to write the data to the file and begin processing it for commands.\r\nTable 3 IP Addresses and their meanings within the original data transfer process in BONDUPDATER\r\nNew Data Transfer using DNS Tunneling\r\nThis BONDUPDATER sample has a new method to obtain files from the C2 server using a series of DNS TXT\r\nqueries. This method follows a similar process as the original method but uses DNS TXT results to obtain a\r\nfilename and the data to write to the file. Once data is written to the file system, this method uses the same\r\ncommand handler as the original method to process the contents of the file based on the trailing character of the\r\nfilename, as seen in Table 1.\r\nThe C2 can initiate the new command handling functionality by responding to the initial beacon with a DNS A\r\nrecord of \"99.250.250.199\". The script will enter a loop attempting to communicate with its C2 every 50\r\nmilliseconds, looking for a series of responses with specific characters that the script will use as instructions to\r\ndetermine how to handle the result of the TXT record, which can be seen in Table 4. The Trojan will split each\r\nTXT record from the C2 response on the character \"\u003e\", with the data to the left of the \"\u003e\" character used as the\r\ninstruction and the data to the right as the data.\r\nInstruction Description\r\nN Idle. Set action type of next query to \"W\"\r\nS\r\nReceive data from C2. Decode data portion as base64. Sets the action type of future queries to\r\nthe C2 to \"D\".\r\nS000s\r\nUse data to as a portion of the filename to save data to. The data is appended to the string\r\n\"rcvd\", which will be saved in the \"receivebox\" folder. Sets the action type of future queries to\r\nthe C2 to \"D\".\r\nE\r\nWrite bytes provided by the \"S\" command to the file resulting from the \"S000s\" command.\r\nThe breaks the loop for the script to process the downloaded file.\r\nC Cancel communications by exiting the loop.\r\nTable 4 Instructions within the new data transfer process in BONDUPDATER and their meanings\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nPage 6 of 7\n\nWhile we have not seen the C2 use this TXT record-based communications, we believe the process would involve\r\nthe C2 providing a TXT record with the \"S000s\" instruction to set the filename to which data is saved. The C2\r\nwould then provide a series of \"S\" instructions to provide data, followed by the \"E\" instruction to write that data to\r\nthe file, which would then be subjected to the command handler.\r\nConclusion\r\nAs expected, OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle\r\nEast. Sometimes developing new tools, OilRig also often uses what has worked in the past, including developing\r\nvariants of previously used tools and malware. This reduces development time and capitalizes on previous\r\nversions of the tool and its success.\r\nOilrig is a highly diverse and very resourceful threat actor, employing a litany of methods and tools to\r\ncompromise victims, but Palo Alto Networks customers are protected from this OilRig attack and\r\nBONDUPDATER by:\r\nAutoFocus customers can track this Trojan with the Bondupdater_Docs tag\r\nAll known BONDUPDATER document samples are marked with malicious verdicts in WildFire\r\nAll known BONDUPDATER document C2 domains have DNS signatures and are classified as Command\r\nand Control\r\nIndicators\r\nBONDUPDATER C2\r\nwithyourface[.]com\r\nBONDUPDATER Dropper Docs\r\n7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00\r\nc0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322\r\nd5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7\r\nSource: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nhttps://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" ], "report_names": [ "unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434282, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b5a9d2194953f15cc8d716d2d20ba3ac800b708.pdf", "text": "https://archive.orkl.eu/1b5a9d2194953f15cc8d716d2d20ba3ac800b708.txt", "img": "https://archive.orkl.eu/1b5a9d2194953f15cc8d716d2d20ba3ac800b708.jpg" } }