Hackers Use Bitcoin Blockchain to Create Resilient Botnets

Hackers Use Bitcoin Blockchain to Create Resilient Botnets

Bitcoin Transactions Have Become A Convenient Vault for Performing Attacks Using C&C Servers

DDoS reigns supreme. In 2020, more than a hundred companies whose activities are in the sphere of finance have become victims of DDoS attacks. Teresa Walsh, head of global research at FS-ISAC, says today’s cybercriminals have increased their potential in the global marketplace. FS-ISAC predicts that the number of cybercrimes will grow along with technological capabilities.

According to Media OutReach, hacker DDoS attacks have become the most common form of ransomware. It is reported that the attackers “sent extortion notes threatening to disrupt the firms’ websites and digital services.” Cybercriminals have methodically attacked companies from different jurisdictions. For example, most attacks were directed at North America (43%), Europe (38%), and the Asian region (15%), and their targets included banks (41% of attacks), exchanges (15%), and payment services (13 %).

At the same time, the situation can be significantly worsened by the rapid spread of cryptocurrencies. FS-ISAC predicts an increase in hacker attacks due to the rise in prices of popular cryptocurrencies, including bitcoin, which cybercriminals have begun to use as a separate and effective tool for carrying out attacks and introducing malicious software.

Cyber attackers use the bitcoin blockchain to cover their tracks

This conclusion was made by researchers from Akamai, a company that specializes in information security. They managed to capture a new botnet that disguised its C&C (command-and-control) servers on the bitcoin blockchain.

A C&C server is a server through which a cyber attacker monitors the activities of malicious software. In new botnets, Akamai discovered API URLs used to identify IP addresses. In this regard, attackers form a connection with their servers through the blockchain by using the API of a cryptocurrency wallet.

Why do they need it? First of all, it is crucial for cybercriminals to have control over the server that they use to send malicious code to the victim’s computer. In turn, network administrators need to protect computers from external connections, so all their actions are aimed at intercepting the attackers’ servers and disabling botnets.

However, the blockchain has become the very place that allows hiding and disguising the IP addresses of hackers, thereby complicating the security service’s work or even eliminating its interference.

How IP address creation in the blockchain works

The IP address is actually created using a bash script. Then, according to experts, the HTTP request is sent via the bitcoin blockchain network. Returned values in the form of Satoshi (bitcoin denomination) are recorded into the IP address of the backup C&C server.

For understanding the process, it is necessary to dwell on the meaning of the term “Satoshi.” Bitcoin is divisible by an eighth decimal fraction (1.00000000 Bits), which means that each Bitcoin can be divided into 100,000,000 pieces. Satoshi is one hundred millionth part of Bitcoin (0.00000001) and is the smallest unit of Bitcoin at present. Accordingly, in order to hide the IP address, hackers modify Satoshi value, turning it into a hexadecimal code by using botnet software.

In order to convert bitcoin transactions into an IP address, the script checks the latest inbound and outbound transactions for a given bitcoin wallet. This task is performed by an HTTP request through the blockcypher.com website API. In each transaction, the script reads values that are essentially the encrypted part of the IP address. The screenshot below shows an example that Akamai has provided to demonstrate aspects of the HTTP request.

Next, the attackers analyze each individual transaction that is carried out by using the blockchain. As an example, the researchers provide two transactions from the bitcoin network. The fragment below shows that the values of the last two transactions for the 1Hf2C address are 6957 and 36305 Satoshi.

Converting the value of the most recent transaction (6957) to its hexadecimal form results in the value 0x1b2d. Further, if a hacker takes the first and second bytes (0x1b and 0x2b) and converts them to an integer, then the values 45 and 27 will be obtained. These are precisely those numbers that are part of the future IP address. Then, the same conversion occurs with the value 36305, where the numbers 141 and 209 are output. In this regard, combining the four generated parts in the correct order results in the final IP address 209.141.45.27.

What happens as a result

If the attackers have followed the entire sequence of actions correctly and their botnet is working, then they will receive direct communication with the infected computers, which will contact the original server to receive the next virus update. In this case, hiding the IP address is important for the following reasons. If the operator loses communication with the server, then the botnet will be able to access a backup copy of the IP address encrypted in bitcoin, which, in turn, is able to track an infinite number of transactions, thereby giving the attackers a new base for scripts.

In this regard, since hackers have a constant ability to connect the botnet to the server, they do not allow any countermeasure from the security service and successfully mask their codes in the infected computer. In particular, the IP address inscribed in one of the bitcoin blocks prevents the possibility of its deletion or blocking by the network administrators.

This strategy is more effective and gives better results than the classic copying methods used by cybercriminals. Another benefit for attackers is that such an operation is quite cheap since one Satoshi is enough to change the IP address detected by the security service.

Technology prevalence

The scheme of hiding command servers is not new. Different groups of cybercriminals have already used means like GPS values stored in images, and even comments in Britney Spears’s Instagram account. The camouflage method is innovative and can make it difficult for law enforcement agencies to identify intruders.

The threat level of attacks from cybercriminals who use crypto-mining botnets is also growing rapidly. For example, the WatchDog botnet appeared just two years ago. However, it is already considered one of the most dangerous malware that can infect devices running Linux and Windows operating systems.

Therefore, the use of bitcoins can become a game-changer for committing cybercrimes. It can bring significant profits. The exact amount is almost impossible to estimate due to the existence of a large number of transactions, the analysis of which is problematic. The botnet discovered by Akamai was used to mine the Monero cryptocurrency and has earned about $43,000 worth of the digital coin.

The weak spot

So far, disrupting the scheme has been simple. In this case, sending a single Satoshi to the attacker’s wallet will prevent the script from reading the IP address correctly. There is yet another way – preventing the scheme from the beginning. Servers using blockchain are a backup in case the primary server stops working. If you successfully sinkhole the primary infrastructure, you can make it respond with a 200-status code so that backups never start working.

However, researchers expressed concern over possible improvements. The adoption of blockchain-based techniques can cause serious problems while gaining popularity in the nearest future.