Track Common Adversary Tasks Performed Using Bonadan

 






To know more about it, you can go through my detailed document by clicking here





Overview

Bonadan is a malicious form of OpenSSH, which can also act as a custom backdoor. It was detected in 2018 and is a combination of new cryptocurrency-mining module and the same credential-stealing module generally used by the Onderon family of backdoors.

How Does It works?

The module used in this backdoor starts as a new thread that can periodically call two functions after every five minutes. The first one checks and removes any kind of cryptocurrency miner installed on the system, whereas the second one connects with the C&C server and sends the following information about the host:
  1. Username corresponding to the user running the backdoor.
  2. Version of the OS.
  3. External IP address of the infected host.
  4. CPU model.
  5. RAM size.
  6. Speed of the running miner., etc.  

Defense 

You can use the following methods to defend against the malware:
  • Use long and complex passwords.
  • Enable key-based authentications.
  • Disable remote root logins.
  • Use multi-factor Authentication through PAM (Pluggable Authentication Module).
  • Block all the IP addresses attempting brute force attacks with the help of available software.
  • Always update IDS/IPS in order to take proper action at the time of an incident.










To know more about it, you can go through my detailed document by clicking here






























Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)