Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:15 AM
Connect Directly

Botnet Uses Blockchain to Obfuscate Backup Command & Control Information

The tactic makes it much harder for defenders to take down botnets via sinkholing and other standard techniques, Akamai says.

The operator of a known botnet used for cryptocurrency mining has started using a relatively rare technique for maintaining persistence that, if more broadly adopted, could make botnet takedowns much harder to accomplish.

Researchers at Akamai recently observed the technique being used in infection attempts targeting customers of its security intelligence response team. In a new report, the company describes the tactic as involving the use of the Bitcoin blockchain to obfuscate configuration information pertaining to secondary command-and-control (C2) infrastructure for the botnet. The decentralized nature of the blockchain makes the botnet infrastructure more reliable and harder to sinkhole, Akamai says.

Related Content:

Intl. Law Enforcement Operation Disrupts Emotet Botnet

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

"The primary goal is to be able to recover from offensive actions taken against the botnet," says Akamai researcher Evyatar Saias. The operators want to ensure that if domains are seized or IP addresses are null routed, they have an out-of-band method for communicating information that point infected systems to new C2 servers, he says. "They leverage the blockchain to do that because it is decentralized and won't be taken down," Saias says.

The cryptocurrency-mining botnet malware that Akamai observed using the new technique is associated with a campaign called "Skidmap" that targets Linux machines, which Trend Micro first reported in September 2019. The malware exploits publicly known remote code execution vulnerabilities in technologies such as Hadoop YARN and Elasticsearch.

Once installed on a vulnerable system, it uses "cron job," a utility for executing tasks on a specific schedule, to check in with its C2 servers and keep reinfecting compromised systems with the latest version of the malware. To ensure resilience against takedown attempts, the operators of the botnet — like their peers — have established a mechanism with which infected systems automatically download a new version of the malware that is configured to use new domains and infrastructure if the primary one is taken down.

In December 2020, Akamai researchers observed a new version of the botnet malware that took the persistence mechanism up a notch. Akamai discovered the malware featuring a Bitcoin wallet address; a URL for an API for fetching data from the wallet; and several cryptic one-liners in the Bash programming language. The company's analysis of the new additions showed that the data the API was fetching from the Bitcoin wallet was being used to calculate an IP address that the malware can use for persistence and reinfections if the primary C2 infrastructure gets sinkholed.

Hiding in the Blockchain
"They're hiding IP addresses in the values of Bitcoin transactions," Saias says. As an analogy of how the system works, he points to a situation in which an individual might want to obfuscate the phone number at which they want someone else to call them. "Let's say I wanted you to call me, but I wanted to make it hard for others to know which phone number I wanted you to call me at," he says. "We could negotiate a system that says when I want you to call me, I'll wire five small deposits, all under a dollar, into your checking account."


The deposit amounts would map to the phone number to be dialed. For example, if the amounts of the five deposits were of $0.55, $0.51, $0.23, $0.45, and $0.67, respectively, the phone number to be dialed would be 555-123-4567, he says. If that phone number were to be disconnected, all that the other person would need to do to find the new number is look at their checking account after more small deposits are made.

The primary difference between the blockchain approach and other approaches is that usually there is a central authority overseeing the storage and dissemination of C2 information. Since blockchains are decentralized by design, they are resistant to centralized attempts to censor or remove data, Saias says. So, while a command-and-control bot on a social media platform, for example, might be easy to shut down, a wallet operating on a blockchain is considerably harder to neutralize.

"You would need to effectively ban the wallet from inquiries on public blockchain explorer platforms — of which there are many," he says. In the time it would take to coordinate such an effort — even if it were possible — that attacker could simply use another wallet address.

According to Saias, though they have been reports of others using a similar tactic, this is the first time that Akamai has directly observed the use of the blockchain for obfuscating backup IP address information.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...