Recent cryptomining botnet campaign has been observed using Bitcoin blockchain transactions to hide its backup C2 IP addresses.Adoption of this technique can be troublesome and expected to become popular in the near future.
Last year akamai spotted a BTC wallet address being used in new variants of the cryptomining malware. The wallet data was used to distribute crypto-malware and establish persistence.
- The attack starts with the exploitation of RCE vulnerabilities that exist in software such as Hadoop Yarn and Elasticsearch (tracked as CVE-2015-1427/CVE-2019-9082).
- Instead of directly hijacking the system, attackers used modified RCEs to create Redis server scanners that were used to find further Redis targets for cryptocurrency mining operations.
- A shell script is used to trigger an RCE on an exposed system and Skidmap malware is deployed. The initial script can terminate existing miners, disable security features, or modify SSH keys.
According to Akamai, over $30,000 in Monero has been mined by the operators to public pools over the past three years. These Monero transactions are anonymous and do not require specialized machines for mining.
Another innovative evasion attempt
The use of BTC transactions to evade detection is the second innovative attempt seen in recent times.
- An attacker was observed using an unusual DNS query via nslookup.exe to hide their actual malicious intent.
- It was using the certutil tool and obfuscated AutoIT script as multi-step obfuscation layers to protect its payload.
The usage of such innovative techniques to evade detection has serious implications on tracking, defending, and takedown attempts made by researchers, infrastructure operators, and law enforcement. Therefore, security agencies need to explore innovative ideas to take some lead in this cat-and-mouse game with attackers.