Security experts from Akamai have detected another botnet utilized for illegal cryptocurrency mining exercises that are abusing Bitcoin (BTC) transactions to remain under the radar. This procedure permits botnet operators to make their infrastructure resilient to takedown led by law enforcement.
“A recent piece of malware from a known crypto mining botnet campaign has started leveraging Bitcoin blockchain transactions in order to hide its backup C2 IP address. It’s a simple, yet effective, way to defeat takedown attempts.” reads the post published by Akamai. “Recent infection attempts against Akamai SIRT’s custom honeypots uncovered an interesting means of obfuscating command and control (C2) infrastructure information. The operators of a long-running crypto-mining botnet campaign began creatively disguising their backup C2 IP address on the Bitcoin blockchain.”
The infection chain starts the exploitation of Remote Code Execution (RCE) vulnerabilities affecting Hadoop Yarn, Elasticsearch (CVE-2015-1427), and ThinkPHP (CVE-2019-9082). Botnet operators utilized Redis server scanners to discover installs that could be undermined to mine cryptocurrencies. The experts assessed that botnet operators have mined more than $30,000 in Monero in public pools since 2018. Experts distinguished various variations over time, using different techniques and tools.
The more seasoned variants were utilizing a shell script to do the main functions, for example, disabling security features, killing off competing infections, establishing persistence, and in some cases, propagating within the compromised network. Newer variations of the shell script leverage binary payloads for handling more system interactions, like killing off competition, disabling security features, modifying SSH keys, downloading, and starting the miners. Botnet operators use cron jobs and rootkits to accomplish persistence and re-infect with the most recent rendition of the malware.
In December 2020, the researchers found a BTC wallet address that was included in new variations of the miner, alongside a URL for a wallet-checking API and bash one-liners. The experts found that the wallet information was being fetched by the API and used to figure an IP address used to maintain persistence. By fetching addresses through the wallet API, botnet operators are able to obfuscate and backup configuration data on the blockchain. Experts noticed that by pushing a modest quantity of BTC into the wallet, operators can recuperate infected systems that have been orphaned.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.