MINIBUS: A RoBUSt Successor?
Mandiant observed a second backdoor deployed in this campaign, which bears multiple similarities to MINIBIKE and was therefore named MINIBUS. The MINIBUS platform has been used since at least August 2023, likely during the same time as the latest MINIBIKE versions, though not necessarily to target the same victims.
MINIBUS is a more advanced, updated platform when compared to MINIBIKE. While similar in functionality and code base, MINIBUS contains fewer built-in features and a more flexible code-execution and command interface in addition to more advanced reconnaissance features.
This might make the MINIBUS platform a more suitable option for an experienced operator, which instead of using ready-to-use features may require a more flexible platform. Such an operator may be concerned with operational security (OpSec), possibly as an early stage in a more elaborate operation.
Following is a more detailed list of the key differences between the MINIBIKE and MINIBUS platforms.
Functionality
MINIBUS has fewer built-in commands and features when compared with MINIBIKE. Instead, MINIBUS provides a more flexible code-execution and command interface, including the ability to run an executable (for example, a possible next-stage implant) using a single command, unlike MINIBIKE.
MINIBUS has a process enumeration feature. A process list generated by MINIBUS may be useful to avoid detection, for example, by identifying processes related to Virtual Machine (VM) utilities or security applications (such as an EDR).
Export DLL Names
The MINIBUS bundle contains DLLs with the names “torvaldinitial.dll” for its launcher/installer and “torvaldspersist.dll” for its payload, unlike MINIBIKE, which utilizes export DLL names like “Dr2.dll” or “MspUpdate.dll” (for its launchers) and “Mini-Junked.dll” or “Micro.dll” (for its payloads).
C2 Communication
MINIBUS uses a combination of an Azure subdomain and unique *.com domains for C2 communications, unlike MINIBIKE, which relies only on Azure infrastructure.
Lures and Themes
MINIBUS deployed lures related to the Israel-Hamas war, including a fake .NET application with themes and contents abusing the “Bring Them Home Now” movement, which calls for the return of the Israeli hostages kidnapped by Hamas. In another MINIBUS instance, Mandiant observed a lure related to Quizora, possibly referring to a quiz application.
Targeting and Geography
Like MINIBIKE, Mandiant observed MINIBUS targeting Israel and possibly India and the UAE. In addition, a MINIBUS C2 domain (cashcloudservices[.]com) had a subdomain with the prefix nsalbaniahack[.]*, suggesting an interest in Albania as well, which is consistent with Iran interests but not yet observed in a MINIBIKE-related activity.