A botnet applied for illicit cryptocurrency mining activities is abusing Bitcoin (BTC) transactions to stay less than the radar. 

According to new exploration released by Akamai on Tuesday, the strategy is staying harnessed by operators of a extensive-managing cryptocurrency mining botnet marketing campaign, in which BTC blockchain transactions are becoming exploited to conceal backup command-and-management (C2) server addresses. 

Botnets count on C2 servers to receive commands from cyberattackers. Legislation enforcement and protection groups are continuously finding and having down these C2 servers in purchase to render campaigns defunct — but if backups are in participate in, takedowns can be a lot more tricky. 

Akamai suggests that botnet operators are capable to hide backup C2 IP addresses via the blockchain, and this is described as a “straightforward, however helpful, way to defeat takedown makes an attempt.”

The assault chain commences with the exploit of remote code execution (RCE) vulnerabilities impacting program together with Hadoop Yarn and Elasticsearch, these as CVE-2015-1427 and CVE-2019-9082. 

In some attacks, somewhat than outright method hijacking, RCEs are also getting modified to make Redis server scanners that find added Redis targets for cryptocurrency mining applications. 

A shell script is deployed to induce an RCE on a susceptible system and Skidmap mining malware is deployed. The initial script may possibly also kill off present miners, modify SSH keys, or disable security characteristics. 

Cron work — time-dependent task schedulers — and rootkits are used to manage persistence and even further distribute the malware. However, in order to maintain and re-infect concentrate on systems, domains and static IP addresses are used — and these addresses are eventually recognized and killed by safety groups. 

“Predictably these domains and IP addresses get discovered, burned, and/or seized,” the scientists say. “The operators of this campaign anticipated this and incorporated backup infrastructure in which infections could fall short in excess of and download an current an infection that would, in switch, update the infected machine to use new domains and infrastructure.”

In December, Akamai pointed out a BTC wallet handle was staying integrated in new variants of the cryptomining malware. Moreover, a URL for a wallet-checking API and bash one particular-liners ended up found, and it seems that the wallet information staying fetched by the API was being used to compute an IP tackle. 

This IP address is then applied to maintain persistence. The scientists say that by fetching addresses by way of the wallet API, the malware’s operators are ready to obfuscate and stash configuration details on the blockchain. 

“By pushing a small amount of money of BTC into the wallet, they can recover contaminated systems that have been orphaned,” Akamai states. “They fundamentally have devised a process of distributing configuration details in a medium that is proficiently unseizable and uncensorable.”

To change wallet info into an IP deal with, the operators use four bash one particular-liner scripts to send an HTTP request to the blockchain explorer API for the given wallet, and then the Satoshi values — the smallest, pre-defined price of BTC models — of the most the latest two transactions are then transformed into the backup C2 IP. 

“The infection is applying the wallet handle as a DNS like record, and the transaction values as a type of A record,” Akamai explains. “In Fig. 2 [below], the variable aa has the Bitcoin wallet handle, variable bb includes the API endpoint that returns the latest two transactions used to produce the IP tackle, and variable cc is made up of the remaining C2 IP deal with after the conversion course of action is done. To obtain this conversion, 4 nested Bash a person-liners (a single each individual, per-octet) are concatenated collectively. Although the mess of cURLs, seds, awks, and pipes is tough to make perception of at to start with glance, it truly is a pretty simple approach.”

Bash script case in point of Satoshis to C2 IP conversion


Akamai estimates that to date, about $30,000 in Monero (XMR) has been mined by the operators.

“The strategy is just not perfect,” the researchers famous. “There are advancements that can be produced, which we’ve excluded from this create-up to keep away from providing tips and responses to the botnet developers. Adoption of this approach could be pretty problematic, and it will most likely get popularity in the in close proximity to future.”

Previous and relevant coverage

Have a suggestion? Get in touch securely by using WhatsApp | Signal at +447713 025 499, or above at Keybase: charlie0