Cyber criminals have always been attracted to cryptocurrencies because it provides a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a payment method for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity and subsequent rising price of cryptocurrencies by conducting various operations aimed at them, such as malicious cryptocurrency mining, collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.
Coinciding with the rising interest in stealing cryptocurrencies, distributed ledger technology (DLT), the technology that underpins cryptocurrencies, has also provided cyber criminals with a unique means of hosting their malicious content. This blog covers the growing trend of cyber criminals using blockchain domains for malicious infrastructure.
Blockchain Infrastructure Use
Traditionally, cyber criminals have used various methods to obfuscate malicious infrastructure that they use to host additional payloads, store stolen data, and/or function as command and control (C2) servers. Traditional methods include using bulletproof hosting, fast-flux, Tor infrastructure, and/or domain generation algorithms (DGAs) to help obfuscate the malicious infrastructure. While we expect cyber criminals to continue to use these techniques for the foreseeable future, another trend is emerging: the use of blockchain infrastructure.
Underground Interest in Blockchain Infrastructure
FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency infrastructure-related topics dating back to at least 2009 within underground communities. While searches for certain keywords fail to provide context, the frequency of specific words, such as blockchain, Namecoin, and .bit, show a sharp increase in conversations surrounding these topics beginning in 2015 (Figure 1).
Figure 1: Underground keyword mentions
Namecoin is a cryptocurrency based on the Bitcoin code that is used to register and manage domain names with the top-level domain (TLD) .bit. Everyone who registers a Namecoin domain is essentially their own domain registrar; however, domain registration is not associated with an individual’s name or address. Rather, domain ownership is based on the unique encrypted hash of each user. This essentially creates the same anonymous system as Bitcoin for internet infrastructure, in which users are only known through their cryptographic identity. Figure 2 illustrates the Namecoin domain name generation process.
Figure 2: Namecoin domain creation process
As Namecoin is decentralized, with no central authority managing the network, domains registered with Namecoin are resistant to being hijacked or shut down. These factors, coupled with the comparative anonymity, make Namecoin an increasingly attractive option for cyber criminals in need of supporting infrastructure for their malicious operations.
Navigating to Namecoin Domains
Domains registered with Namecoin use the TLD .bit, and are not managed by standard DNS providers. Consequently, a client will be unable to establish a connection to these blockchain domains unless additional configurations are made. According to the Namecoin wiki, individuals can take one of the steps shown in Figure 3 to browse .bit domains.
Figure 3: Options for navigating to Namecoin domains outlined on Namecoin wiki
These options are not ideal for cyber criminals, as downloading the entire blockchain onto an infected host would require significant space and bandwidth, and routing their malicious traffic through an unknown third party could result in their traffic being blocked by the resolver. As a result, many have configured their malware to query their own privately managed Namecoin-compatible OpenNIC DNS (Figure 4), or to query other compatible servers they’ve purchased through underground infrastructure offerings. Bulletproof hosting providers, such as Group 4, have capitalized on the increased demand for .bit domains by adding support to allow malicious actors to query compatible servers.
Figure 4: Blockchain domain support advertised on OpenNIC website
Underground Advertisements for Namecoin Support
The following underground advertisements relating to the use of .bit domains have been observed by researchers over the past several years. These posts range from actors offering .bit compatible modules or configuration updates for popular banking Trojans to .bit infrastructure offerings.
Sample Advertisement #1
Figure 5 shows an advertisement, observed in late 2015, posted by the actor “wachdog” in a popular Russian-speaking marketplace. The actor advertised a small utility (10 KB in size) that is compatible with both Windows and Android operating systems, and would allow for the communication to and from .bit domains.
|Advertisement Translated Text:
The code is written in C+ for WinAPI or Java for Android. It can be used for small stealth applications to access .bit domains.
The registration of new domain costs 0.02 NMC, update of a record – 0.005 NMC.
So, the price for domain registration and update will be approximately 0.0072$ and 0.0018$.
The code works in all Windows starting from XP, it doesn’t require additional libraries, admin privileges, it doesn’t download a lot of data. The size of compiled code is 10 KB. It’s easy to write it in asm, paskal, c#, java etc. It also works for Android (all versions).
You should download the Namecoin wallet, credit it with the minimum amount of NMC and register your own domain using the wallet. IP of C&C can be linked to the domain also using the wallet (one of many, everything works as for normal DNS). Create a build of your software locked to .bit domain. In case the IP of your server is listed, just change the DNS record and assign your domain a new IP for just for 0.005 NMC. No need in new rebuild or registration of new domains. .bit domain cannot be taken, botnet cannot be stolen.
Technology + code in C: $300 USD
Technology + code in C + code in Java for Android: $400 USD
Figure 5: Actor “wachdog” advertises utility to connect to .bit domains in late 2015
Sample Advertisement #2
In late 2017, actor “Discomrade” advertised a new HTTP distributed denial of service (DDoS) malware named “Coala” on a prominent Russian-language underground forum (Figure 6). According to the advertisement, Coala focuses on L7 (HTTP) attacks and can overcome Cloudflare, OVH, and BlazingFast DDoS protections. The original posting stated that the actor was working on adding support for .bit domains, and later updated the forum post to specify that Coala was able to support .bit domain communications.
|Advertisement Translated Text:
Coala – Http DDoS Bot, .net 2.0, bypass cloudflare/ovh/blazi…
I changed my decision to rewrite the bot from the scratch on native language.
I added the following features/options/abilities:
– to customize the HTTP-headers (user-agent, cookie, referrer)
I removed the feature related to DDoS attacks against TOR sites because of its improper functioning and AV detects.
Currently I am working on .bit domains support.
The price: $400
Figure 6: Discomrade advertising Coala DDoS malware support for .bit domains
Sample Advertisement #3
The AZORult malware, which was discovered in mid-2016, is offered in underground marketplaces by the actor “CrydBrox.” In early 2017, CrydBrox offered an updated variant of the AZORult malware that included .bit support (Figure 7).
|Advertisement Translated Text:
[+] added .bit domains support
ture, system version, privileges, collected passwords
There are 4 variants of the stealer:
Read more at: FireEye