Botnet Abuses Bitcoin Blockchains For Illicit Cryptocurrency Mining

Botnet Abuses Bitcoin Blockchains For Illicit Cryptocurrency Mining

New research published by Akamai details the technique used by cybercriminals to exploit BTC blockchain transactions for mining purposes.

Operators of this long-running cryptocurrency mining botnet campaign effectively hide backup command-and-control (C2) server addresses which allows them to send commands to botnets. 

To date, over $30,000 in Monero (XMR) has been mined by the bad actors, Akamai estimates.

Akamai says in the report that the botnet operators chose to hide backup C2 IP addresses on the blockchain because that way they can prevent takedowns of their campaigns by law enforcement.

The attacks

The attack chain begins with the exploit of remote code execution (RCE) vulnerabilities such as CVE-2015-1427 and CVE-2019-9082 which can  impact software like Hadoop Yarn or Elasticsearch. 

With the help of a shell script, the attackers trigger an RCE on a vulnerable system and deploy Skidmap mining malware. The attackers can also kill existing mining operations, disable security features, and modify SSH keys. 

To maintain persistence and further distribute the malware, cybercriminals use time-based job schedulers, Cron jobs, and rootkits. 

One way to do away with such malware campaigns is to identify and kill the domains and static IP addresses that hackers must use to maintain access and re-infect the systems.

The operators of this campaign foreseen this and “included backup infrastructure where infections could fail over and download an updated infection that would, in turn, update the infected machine to use new domains and infrastructure,” Akamai researchers say.

Tracking down

Eventually, after an extensive investigation, Akamai found a BTC wallet address that was being used by bad actors to maintain persistence. This gave some clues as to what the hackers are doing.

“By pushing a small amount of BTC into the wallet, they can recover infected systems that have been orphaned,” Akamai researchers explain. “They essentially have devised a method of distributing configuration information in a medium that is effectively unseizable and uncensorable.”

Adoption of this technique by other criminals could be very problematic, and it will likely gain popularity in the near future, say researchers.

To read the full analysis, please visit Akamai’s original report.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.