The operator of a known botnet used for cryptocurrency mining has started using a relatively rare technique for maintaining persistence that, if more broadly adopted, could make botnet takedowns much harder to accomplish.
Researchers at Akamai recently observed the technique being used in infection attempts targeting customers of its security intelligence response team. In a new report, the company describes the tactic as involving the use of the Bitcoin blockchain to obfuscate configuration information pertaining to secondary command-and-control (C2) infrastructure for the botnet. The decentralized nature of the blockchain makes the botnet infrastructure more reliable and harder to sinkhole, Akamai says.
"The primary goal is to be able to recover from offensive actions taken against the botnet," says Akamai researcher Evyatar Saias. The operators want to ensure that if domains are seized or IP addresses are null routed, they have an out-of-band method for communicating information that point infected systems to new C2 servers, he says. "They leverage the blockchain to do that because it is decentralized and won't be taken down," Saias says.
The cryptocurrency-mining botnet malware that Akamai observed using the new technique is associated with a campaign called "Skidmap" that targets Linux machines, which Trend Micro first reported in September 2019. The malware exploits publicly known remote code execution vulnerabilities in technologies such as Hadoop YARN and Elasticsearch.
Once installed on a vulnerable system, it uses "cron job," a utility for executing tasks on a specific schedule, to check in with its C2 servers and keep reinfecting compromised systems with the latest version of the malware. To ensure resilience against takedown attempts, the operators of the botnet — like their peers — have established a mechanism with which infected systems automatically download a new version of the malware that is configured to use new domains and infrastructure if the primary one is taken down.
In December 2020, Akamai researchers observed a new version of the botnet malware that took the persistence mechanism up a notch. Akamai discovered the malware featuring a Bitcoin wallet address; a URL for an API for fetching data from the wallet; and several cryptic one-liners in the Bash programming language. The company's analysis of the new additions showed that the data the API was fetching from the Bitcoin wallet was being used to calculate an IP address that the malware can use for persistence and reinfections if the primary C2 infrastructure gets sinkholed.
Hiding in the Blockchain
"They're hiding IP addresses in the values of Bitcoin transactions," Saias says. As an analogy of how the system works, he points to a situation in which an individual might want to obfuscate the phone number at which they want someone else to call them. "Let's say I wanted you to call me, but I wanted to make it hard for others to know which phone number I wanted you to call me at," he says. "We could negotiate a system that says when I want you to call me, I'll wire five small deposits, all under a dollar, into your checking account."
The deposit amounts would map to the phone number to be dialed. For example, if the amounts of the five deposits were of $0.55, $0.51, $0.23, $0.45, and $0.67, respectively, the phone number to be dialed would be 555-123-4567, he says. If that phone number were to be disconnected, all that the other person would need to do to find the new number is look at their checking account after more small deposits are made.
The primary difference between the blockchain approach and other approaches is that usually there is a central authority overseeing the storage and dissemination of C2 information. Since blockchains are decentralized by design, they are resistant to centralized attempts to censor or remove data, Saias says. So, while a command-and-control bot on a social media platform, for example, might be easy to shut down, a wallet operating on a blockchain is considerably harder to neutralize.
"You would need to effectively ban the wallet from inquiries on public blockchain explorer platforms — of which there are many," he says. In the time it would take to coordinate such an effort — even if it were possible — that attacker could simply use another wallet address.
According to Saias, though they have been reports of others using a similar tactic, this is the first time that Akamai has directly observed the use of the blockchain for obfuscating backup IP address information.