{ "id": "40ba02bf-7bbf-4528-9853-6e44602c2199", "created_at": "2026-04-06T01:32:27.342304Z", "updated_at": "2026-04-10T03:37:37.104575Z", "deleted_at": null, "sha1_hash": "e980a49cc588ce7c5bd92cc16412e39646be5d43", "title": "Tunneling Under the Sands", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 681359, "plain_text": "Tunneling Under the Sands\r\nBy ASERT team\r\nPublished: 2018-09-14 · Archived: 2026-04-06 00:10:13 UTC\r\nExecutive Summary\r\nASERT recently came across spear-phishing emails targeting the Office of the First Deputy Prime Minister of Bahrain. A\r\nsimilar campaign uncovered by Palo Alto’s Unit 42 found the activity distributing an updated variant of BONDUPDATER, a\r\nPowerShell-based Trojan, which they attribute to Iranian APT group OilRig (aka APT34).  ASERT was able to uncover\r\nCommand and Control (C2) traffic instructing the script to run commands, including the C2 responses from the attacker’s\r\nserver. NOTE: Netscout APS enterprise security products detect and block all network IOCs noted in this report.\r\nKey Findings\r\nBONDUPDATER, a PowerShell based Trojan, now obfuscates the data prior to exfiltration.\r\nData exfiltration occurs using inserted sub-domains for each communication to the attacker’s C2 server.\r\nAnalysis\r\nDuring the course of ASERT's investigation into the alleged Oilrig activity, we managed to capture live C2 communications,\r\nand reverse engineer the communication protocols the malware uses.  For further details on the malware itself and how it\r\nbehaves, we recommend reading the blog that Unit42 security researchers published earlier in the week. The\r\nBONDUPDATER C2 communications utilize DNS queries for communication and data exfiltration.  Specifically,\r\nBONDUPDATER uses DNS A records and DNS TXT records to relay the information.\r\nCommand Delivery\r\nBONDUPDATER makes use of the TXT data field to pass commands to the client.  DNS TXT records are traditionally used\r\nto provide additional information about the domain; however, it could be anything, provided it follows the standard.  Here,\r\nthe attacker abuses the functionality to deliver items like commands. The command format the attackers send in the TXT\r\nresponse field is: 5 characters \u003e Data (Figure 1). \r\nFigure 1: S0000 Command\r\nThe script splits the command into two parts delimited by the \u003e character.  For example, to run a simple command on the\r\nvictim machine, the attacker would respond to three separate DNS TXT queries with the following responses:\r\n1. S000s\u003e10100\r\n1. Create a file under the receivedbox folder called rcvd10100\r\n2. S0000\u003ed2hvYW1pJmlwY29uZmlnIC9hbGw=\r\n1. Decode command to the right of \u003e\r\n1. Replace('-', '+')\r\n2. Replace('_', '/')\r\n3. Base64 Decode\r\n3.  E0000\u003e0\r\n1. Write the decoded command to the file\r\nData Exfiltration\r\nhttps://www.netscout.com/blog/asert/tunneling-under-sands\r\nPage 1 of 4\n\nNormal DNS A records are used to return an IP address for the given domain or subdomain.  BONDUPDATER abuses DNS\r\nA records for data exfiltration.  We observed BONDUPDATER sending the output of a CLI command across multiple DNS\r\nA requests (Figure 2).  The data was stuffed into one of the subdomains.  Using this method, the attacker may pull down any\r\nfile provided they remain undetected for a prolonged period of time to successfully transfer the required data.  Data\r\nexfiltration, using this method, takes time and generates a large number of requests that could be noticed by network\r\nIDS/IPS.\r\nFigure 2. Exfiltrating Data\r\nBONDUPDATER exfiltrates files by adding two more subdomains to the FQDN.\r\nData Subdomain\r\nThe first of the two inserted subdomains contains one of three possible entries:\r\n1. Data exfiltration header\r\n2. Data being exfiltrated\r\n3. Data exfiltration end marker\r\nThe following strings represent the same data exfiltration header presented here in two forms:\r\nUn-obfuscated: \u003credacted\u003e. 10100*9056*****************.33333210100A[.]withyourface[.]com\r\nObfuscated:\r\n\u003credacted\u003e.COCTab33333233332222222222222222210100A9056AAAAAAAAAAAAAAAAA.33333210100A[.]withyourfac\r\nBONDUPDATER sends the data using the obfuscated form.  The un-obfuscated form was added for clarity. “COCTab”\r\nindicates this subdomain is a data exfiltration header.  The next 5 characters match the name received by the S000s\r\ncommand (above).  The actors add these characters to map the data being received to the command they issued.  The script\r\nobfuscates all the data of this subdomain except for the “COCTab” header. BONDUPDATER obfuscates the file content,\r\nsent to the attacker.\r\n\u003credacted\u003e.EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0.33333210100A[.]withyourface[.]com\r\n  The obfuscation technique is covered in the next section.   The final entry type, “COCTabCOCT”, denotes the end of the\r\ndata segment:\r\n\u003credacted\u003e.COCTabCOCT.33333210100A[.]withyourface[.]com\r\nData Obfuscation Technique\r\nThe actor obfuscates the data by splitting each byte into two nibbles. The first nibble goes into one list and the second nibble\r\ngoes into the second list.  Each list contains a max of 15 characters but may have less depending on the number of remaining\r\nbytes.  The script joins the lists together end to end to create the subdomain (Figure 3). \r\nhttps://www.netscout.com/blog/asert/tunneling-under-sands\r\nPage 2 of 4\n\nFigure 3: Binary Scrambling\r\nThe script below reorganizes the nibbles into their respective bytes (Figure 4).\r\nimport binascii\r\ndata = 'EBB466767667256666772556776662FBFD932F3F64079E4F730B65239FE0'\r\nexfil_data = []\r\nfor x in range(int(len(data)/2)):\r\n try:\r\n exfil_data.append(binascii.unhexlify(data[x] + data[int(len(data)/2)+x]))\r\n except:\r\n exfil_data.append(data[x] + data[int(len(data)/2)+x])\r\nprint(''.join(exfil_data))\r\nFigure 4: Python2 snippet to reconstruct the data\r\nThe above code snippet returns: Microsoft Windows [Version, which is part of the output when running the following\r\ncommand:\r\nwhoami\u0026ipconfig /all\r\nCommand Identification Marker\r\nThe third level subdomain contains an identification marker as noted below:\r\n\u003credacted\u003e.COCTabCOCT.33333210100A[.]withyourface[.]com\r\nThe value equals the command identifier specified by the S000s command (above).  Similar to a campaign ID/name, it is\r\nlikely the attackers use this marker to categorize and sort C2 communications.  This subdomain also uses the same algorithm\r\ndefined in Figure 3.\r\nSummary \u0026 Recommendations\r\nhttps://www.netscout.com/blog/asert/tunneling-under-sands\r\nPage 3 of 4\n\nAPT actors continually revamp and develop new capabilities to add to their portfolio and BONDUPDATER is no exception.\r\nThe custom DNS tunneling and obfuscation technique allows the attacker to circumvent some defense measures. From a\r\ndefender’s perspective, ASERT recommends that all DNS traffic be monitored for abnormal behavior such as abnormally\r\nlong domain names.  At a minimum, inspect DNS A records for “COCTab” which could be a sign of this specific infection. \r\nPractice good email hygiene and disable scripts from running in Office documents where possible.  Enable PowerShell\r\nlogging to monitor for suspicious behavior. Research into this group and specifically BONDUPDATER, reveals that the\r\nactor is continuously improving their toolset to maximize their chances of success.  Thus, layered controls are essential for\r\ndetecting the threats of tomorrow.\r\nIOCs\r\nwithyourface[.]com\r\n52b6e1ef0d079f4c2572705156365c06 - Word Document\r\n8c4fa86dcc2fd00933b70cbf239f0636 - PowerShell Script\r\nSource: https://www.netscout.com/blog/asert/tunneling-under-sands\r\nhttps://www.netscout.com/blog/asert/tunneling-under-sands\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netscout.com/blog/asert/tunneling-under-sands" ], "report_names": [ "tunneling-under-sands" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439147, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e980a49cc588ce7c5bd92cc16412e39646be5d43.pdf", "text": "https://archive.orkl.eu/e980a49cc588ce7c5bd92cc16412e39646be5d43.txt", "img": "https://archive.orkl.eu/e980a49cc588ce7c5bd92cc16412e39646be5d43.jpg" } }