Cryptomining Botnet Uses Bitcoin Wallet to Avoid DetectionAkamai Describes How This Approach Works
A cryptomining botnet campaign is using bitcoin blockchain transactions to hide command-and-control server addresses and stay under the radar, defeating takedown attempts, according to security firm Akamai.
By putting some blockchain transactions into a cryptocurrency wallet, attackers can recover infected systems that have been orphaned, creating a way to distribute configuration information in a medium that is effectively unseizable and uncensorable, researchers at the security firm say.
The initial infection starts with the exploitation of remote code execution vulnerabilities in Hadoop Yarn, Elasticsearch (CVE-2015-1427) and ThinkPHP (CVE-2019-9082). The payload delivered causes the vulnerable machine to download and execute a malicious shell script.
"In older campaigns, the shell script itself handled the key functions of infection. The stand-alone script disabled security features, killed off competing infections, established persistence, and in some cases, continued infection attempts across networks found within the known host files," the report notes.
But the newer instances of the shell script are written with fewer lines of code and use binary payloads for handling more system interactions, such as killing off competition, disabling security features, modifying SSH keys, downloading malware and starting the miners.
Researchers note that the operators behind the campaign use cron jobs and rootkits for persistence and updates to distribution, ensuring infected machines will regularly check in and be reinfected with the latest version of the malware.
These methods rely on domains and static IP addresses written into crontabs and configurations, and these domains and IP addresses routinely get identified and seized, the researchers say. But the operators include a backup infrastructure in which infections could go into failover mode and download an updated infection that would, in turn, update the infected machine to use new domains and infrastructure.
"While this technique works, a coordinated takedown effort that targets domains and failover IP address/infrastructure all at once could effectively cut the operators out of maintaining their foothold on infected systems," the researchers note.
Use of Bitcoin Wallet
In December 2020, Akamai researchers detected the presence of a bitcoin wallet address in newer variants of this malware, a URL for a wallet-checking API and a cryptic series of nested bash one-liners.
The data being fetched from the API is used to calculate an IP address, which is further used for persistence and additional infection operations, the researchers say.
"This is a very clever and strategic technique. It enables the operators to stash obfuscated configuration data on the blockchain," according to Akamai. "By pushing a small amount of BTC [bitcoin] into the wallet, they can recover infected systems that have been orphaned. They essentially have devised a method of distributing configuration information in a medium that is effectively unseizable and uncensorable. Using this method, the operators of the campaign have turned potential offensive actions against their infrastructure from a serious disruption to something that can be recovered from quickly and easily."
Akamai's security intelligence response team estimates that the operators behind the campaign have mined over $30,000 in monero from unknowing hosts over the past three years.
To convert a bitcoin transaction into an IP address, the script first needs to know what transactions the wallet has sent and received. The cryptominers achieve this by doing an HTTP request to a blockchain explorer API (api.blockcypher.com) for the last two transactions for the given wallet address, and then converting the Satoshi values of these transactions into the backup C2 IP address, Akamai states.
In the campaign, remote code execution has been modified to create a Redis scanning and compromising bot that crafts "a series of commands that are launched against Redis servers with weak passwords. This, in turn, converts the Redis servers into miners and scanners as well," the researchers note.