In order to hide its backup C2 IP addresses, a recent crypto mining botnet campaign has been observed using Bitcoin blockchain transactions. It’s turned out to be a very effective way of staying undetected and avoiding any takedown attempts. The technique is tricky in nature and its adoption is tedious but it is all set for popularity in the future.
What transpired?
Researchers spotted a BTC wallet address being used in new variants of the crypto mining malware, in the month of December. With the help of this wallet, the distribution of crypto-malware took place along with establishing persistence.
- The attack commences with the exploitation of RCE vulnerabilities that exist in software such as Hadoop Yarn and Elasticsearch (tracked as CVE-2015-1427/CVE-2019-9082).
- instead of directly hijacking the system, modified RCEs were used by the attackers to create Redis server scanners. These scanners were further used to find further Redis targets for cryptocurrency mining operations.
- The Skidmap malware is then installed after the RCE is triggered with the use of a shell script on an exposed system. The initial script can terminate existing miners, disable security features, or modify SSH keys.
The Mining So Far –
Over the past three years, researchers have estimated that over $30,000 in Monero has been mined by the operators to public pools. These Monero transactions do not require specialized machines for mining and are completely anonymous.
Innovative attempt to Evade Detection
In recent times, the use of BTC transactions to evade detection is the second innovative attempt to be noticed by researchers.
- Yet another attack was observed recently using an unusual DNS query via nslookup.exe to hide their actual malicious intent.
- The certutil tool was used along with obfuscated AutoIT script as multi-step obfuscation layers to protect its payload.
The execution of such a sophisticated technique to evade detection has serious implications on tracking, defending, and takedown attempts made by researchers, infrastructure operators, and law enforcement. Consequently, equally innovative ideas need to be explored to gain the upper hand on the attackers.
To read more, please check eScan Blog
