Blockchain apparently helping botnet find infected systems that have been orphaned
Security researchers have discovered that a botnet campaign is innovatively using the Bitcoin blockchain to prevent it from being taken down.
While analyzing a long-running crypto-mining botnet campaign, Chad Seaman from Akamai discovered that its operators had camouflaged the IP address of its backup command and control (C&C) server on the Bitcoin blockchain.
In December 2020, Seaman noticed the presence of a Bitcoin wallet address in newer variants of the malware, along with some other details. “In examining these additions further, it became clear the wallet data being fetched from the API was being used to calculate an IP address. This IP is then used for persistence and additional infection operations,” notes Seaman in his analysis of the malware.
Innovative use of the blockchain
Security experts routinely take down C&C servers to dismantle botnets networks. However, Seaman notes that this particular cryptoming botnet campaign has been functioning for over three years, during which it has mined Monero worth more than $30,000.
The operators of the malware have constantly been adapting to takedowns and other setbacks to ensure the continuity of the campaign.
The use of the Bitcoin blockchain is one such step that’ll ensure the infected machines always have a C&C server to call home to, even if the primary server is taken down.
Impressed by the novel approach, Seaman writes that the operators have essentially embedded configuration information in a medium that can’t be seized or censored. “Using this method, the operators of the campaign have turned potential offensive actions against their infrastructure from a serious disruption, to something that can be recovered from quickly and easily.”