New research published by Akamai details the technique used by cybercriminals to exploit BTC blockchain transactions for mining purposes.
Operators of this long-running cryptocurrency mining botnet campaign effectively hide backup command-and-control (C2) server addresses which allows them to send commands to botnets.
To date, over $30,000 in Monero (XMR) has been mined by the bad actors, Akamai estimates.
Akamai says in the report that the botnet operators chose to hide backup C2 IP addresses on the blockchain because that way they can prevent takedowns of their campaigns by law enforcement.
With the help of a shell script, the attackers trigger an RCE on a vulnerable system and deploy Skidmap mining malware. The attackers can also kill existing mining operations, disable security features, and modify SSH keys.
To maintain persistence and further distribute the malware, cybercriminals use time-based job schedulers, Cron jobs, and rootkits.
One way to do away with such malware campaigns is to identify and kill the domains and static IP addresses that hackers must use to maintain access and re-infect the systems.
The operators of this campaign foreseen this and “included backup infrastructure where infections could fail over and download an updated infection that would, in turn, update the infected machine to use new domains and infrastructure,” Akamai researchers say.
Eventually, after an extensive investigation, Akamai found a BTC wallet address that was being used by bad actors to maintain persistence. This gave some clues as to what the hackers are doing.
“By pushing a small amount of BTC into the wallet, they can recover infected systems that have been orphaned,” Akamai researchers explain. “They essentially have devised a method of distributing configuration information in a medium that is effectively unseizable and uncensorable.”
Adoption of this technique by other criminals could be very problematic, and it will likely gain popularity in the near future, say researchers.
To read the full analysis, please visit Akamai’s original report.