The Bitcoin blockchain is being used to shield some serious malware

botnet
(Image credit: Shutterstock / Jaiz Anuar)

Security researchers have discovered that a botnet campaign is innovatively using the Bitcoin blockchain to prevent it from being taken down.

While analyzing a long-running crypto-mining botnet campaign, Chad Seaman from Akamai discovered that its operators had camouflaged the IP address of its backup command and control (C&C) server on the Bitcoin blockchain.

In December 2020, Seaman noticed the presence of a Bitcoin wallet address in newer variants of the malware, along with some other details. “In examining these additions further, it became clear the wallet data being fetched from the API was being used to calculate an IP address. This IP is then used for persistence and additional infection operations,” notes Seaman in his analysis of the malware.

Innovative use of the blockchain

Security experts routinely take down C&C servers to dismantle botnets networks. However, Seaman notes that this particular cryptoming botnet campaign has been functioning for over three years, during which it has mined Monero worth more than $30,000.

The operators of the malware have constantly been adapting to takedowns and other setbacks to ensure the continuity of the campaign. 

The use of the Bitcoin blockchain is one such step that’ll ensure the infected machines always have a C&C server to call home to, even if the primary server is taken down.

Impressed by the novel approach, Seaman writes that the operators have essentially embedded configuration information in a medium that can’t be seized or censored. “Using this method, the operators of the campaign have turned potential offensive actions against their infrastructure from a serious disruption, to something that can be recovered from quickly and easily.”

Via: Ars Technica

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.