Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:15 AM
Connect Directly

Botnet Uses Blockchain to Obfuscate Backup Command & Control Information

The tactic makes it much harder for defenders to take down botnets via sinkholing and other standard techniques, Akamai says.

The operator of a known botnet used for cryptocurrency mining has started using a relatively rare technique for maintaining persistence that, if more broadly adopted, could make botnet takedowns much harder to accomplish.

Researchers at Akamai recently observed the technique being used in infection attempts targeting customers of its security intelligence response team. In a new report, the company describes the tactic as involving the use of the Bitcoin blockchain to obfuscate configuration information pertaining to secondary command-and-control (C2) infrastructure for the botnet. The decentralized nature of the blockchain makes the botnet infrastructure more reliable and harder to sinkhole, Akamai says.

Related Content:

Intl. Law Enforcement Operation Disrupts Emotet Botnet

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

"The primary goal is to be able to recover from offensive actions taken against the botnet," says Akamai researcher Evyatar Saias. The operators want to ensure that if domains are seized or IP addresses are null routed, they have an out-of-band method for communicating information that point infected systems to new C2 servers, he says. "They leverage the blockchain to do that because it is decentralized and won't be taken down," Saias says.

The cryptocurrency-mining botnet malware that Akamai observed using the new technique is associated with a campaign called "Skidmap" that targets Linux machines, which Trend Micro first reported in September 2019. The malware exploits publicly known remote code execution vulnerabilities in technologies such as Hadoop YARN and Elasticsearch.

Once installed on a vulnerable system, it uses "cron job," a utility for executing tasks on a specific schedule, to check in with its C2 servers and keep reinfecting compromised systems with the latest version of the malware. To ensure resilience against takedown attempts, the operators of the botnet — like their peers — have established a mechanism with which infected systems automatically download a new version of the malware that is configured to use new domains and infrastructure if the primary one is taken down.

In December 2020, Akamai researchers observed a new version of the botnet malware that took the persistence mechanism up a notch. Akamai discovered the malware featuring a Bitcoin wallet address; a URL for an API for fetching data from the wallet; and several cryptic one-liners in the Bash programming language. The company's analysis of the new additions showed that the data the API was fetching from the Bitcoin wallet was being used to calculate an IP address that the malware can use for persistence and reinfections if the primary C2 infrastructure gets sinkholed.

Hiding in the Blockchain
"They're hiding IP addresses in the values of Bitcoin transactions," Saias says. As an analogy of how the system works, he points to a situation in which an individual might want to obfuscate the phone number at which they want someone else to call them. "Let's say I wanted you to call me, but I wanted to make it hard for others to know which phone number I wanted you to call me at," he says. "We could negotiate a system that says when I want you to call me, I'll wire five small deposits, all under a dollar, into your checking account."


The deposit amounts would map to the phone number to be dialed. For example, if the amounts of the five deposits were of $0.55, $0.51, $0.23, $0.45, and $0.67, respectively, the phone number to be dialed would be 555-123-4567, he says. If that phone number were to be disconnected, all that the other person would need to do to find the new number is look at their checking account after more small deposits are made.

The primary difference between the blockchain approach and other approaches is that usually there is a central authority overseeing the storage and dissemination of C2 information. Since blockchains are decentralized by design, they are resistant to centralized attempts to censor or remove data, Saias says. So, while a command-and-control bot on a social media platform, for example, might be easy to shut down, a wallet operating on a blockchain is considerably harder to neutralize.

"You would need to effectively ban the wallet from inquiries on public blockchain explorer platforms — of which there are many," he says. In the time it would take to coordinate such an effort — even if it were possible — that attacker could simply use another wallet address.

According to Saias, though they have been reports of others using a similar tactic, this is the first time that Akamai has directly observed the use of the blockchain for obfuscating backup IP address information.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...