Security researchers have observed a crypto mining botnet campaign using Bitcoin blockchain transactions to hide its backup C2 IP addresses. It’s a very effective way to stay hidden and defeat takedown attempts. Adoption of this technique can be troublesome and expected to become popular in the near future.
In December 2020, a BTC wallet address used in new variants of the crypto mining malware was spotted. The wallet data was used to distribute crypto-malware and establish persistence. The attack starts with the exploitation of RCE vulnerabilities tracked as CVE-2015-1427/CVE-2019-9082 that already exist in software. In a few attacks, instead of directly hijacking the system, attackers used modified RCEs to create Redis server scanners that were used to find further Redis targets for cryptocurrency mining operations.
The operators behind this campaign were able to mine $30,000 in Monero in the past three years. These Monero transactions are anonymous and do not require specialized machines for mining.The use of BTC transactions to evade detection is the second innovative attempt seen in recent times.
The usage of such innovative techniques to stay hidden has serious implications on tracking, defending, and takedown attempts made by researchers, infrastructure operators, and law enforcement. Therefore, security agencies need to explore innovative ideas in order to trace such cybercriminals responsible for cryptomining.