Botnet Operators Use Bitcoin Blockchain To Hide Their Activity

Specialists of the information security company Akamai spoke about a botnet for cryptocurrency mining, which uses bitcoin transactions to disguise.

The obfuscation method described by the researchers is used by operators of a long-term malicious cryptocurrency mining campaign, in which Bitcoin blockchain transactions are used to hide the addresses of backup C&C servers.

The botnet receives commands from its operators from C&C servers. Law enforcement and security agencies continually find and disable these servers, thereby disrupting malicious operations. However, if the botnet operators are using standby servers, shutdown can be significantly more difficult. According to experts, cybercriminals have learned to hide the IP addresses of C&C servers using the blockchain - a simple but effective way to avoid disconnection.

The attack begins by exploiting remote code execution vulnerabilities in Hadoop Yarn and Elasticsearch, including CVE-2015-1427 and CVE-2019-9082. In some cases, instead of direct hacking, cybercriminals modify vulnerabilities to create a Redis server scanner, with which they find additional Redis installations in order to mine cryptocurrency.

In December, Akamai discovered that bitcoin wallet addresses had been added to new variants of crypto mining malware. In addition, the wallet validation API url and bash one-line commands were found, and it looks like the wallet data obtained by the API was used to calculate the IP address. This IP address is then used to maintain persistence on the target system. By obtaining addresses through the wallet API, malware operators can obfuscate and store configuration data on the blockchain, according to the researchers.

To convert the wallet data to an IP address, operators use four one-line bash scripts to send an HTTP request to the blockchain explorer API for a given wallet, and then the Satoshi values ​​(lowest predetermined bitcoin value) from the last two transactions are converted to the backup C&C IP address- server.

Previous Post Next Post