Pony’s C&C servers hidden inside the Bitcoin blockchain

October 17, 2019

Research by: Kobi Eisenkraft, Arie Olshtein


Redaman is a form of banking malware distributed by phishing campaigns that target mostly Russia language speakers. First seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in 2017 and 2018.  In September 2019, Check Point researchers identified a new version that hides Pony C&C server IP addresses inside the Bitcoin blockchain.

In the past we have seen others techniques that used Bitcoin blockchain to hide their C&C server IP address, but in this blog we will share an analysis of the new technique.

The malware connects to Bitcoin blockchain and chaining transactions in order to find the hidden C&C server, we called this new technique Chaining.

Infection chain

How the attacker hides the C&C servers in Bitcoin blockchain

In this real example the attacker wants to hide IP

In order to do this, the attacker uses wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ :

1. The attacker converts each octet of the IP address from decimal to hexadecimal: => B9.CB.74.2F

2. The attacker takes the first 2 octets, B9 and CB and combines them in opposite order B9.CB => CBB9

3. The attacker then converts back from hexadecimal to decimal, CBB9 ==> 52153.

  • 0.00052153 BTC (about 4$) is the first transaction he will do to the 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ wallet

4. The attacker takes the last 2 octets, 74 and 2F and combines them in opposite order 74.2F => 2F74

5. The attacker converts back from hexadecimal to decimal, 2F74==> 12148.

  • 0.00012148 BTC (about 1$) is the second transaction he will do to the 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ wallet

Figure 1 – Related transactions with amounts of 0.00052153 and 0.00012148 BTC

How Redaman malware reveals the dynamic hidden C&C server IP

Redaman does the opposite to the algorithm described above.

1. Redaman send a GET request to get the last ten transactions on the hard coded Bitcoin wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ  

2. It takes the values of the last two payment transactions to Bitcoin wallets 52153 and 12148.

3. Converts the Decimal values from the transactions to Hexadecimal 52153==>CBB9 and 12148==>2F74.

4. Splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal. B9==>185, CB==>203, 74==>116, 2F==>47

5. These values together combine the IP address of the hidden C&C server IP

Figure 2 – The actual code that calculate the C&C server IP, you can see in “Dump 1” the hexadecimal values of the C&C server IP: B9 CB 74 2F (

Figure 3 – Json response that include the hidden C&C server IP



In this blog, we described how Redaman has become more effective by hiding dynamic C&C server addresses inside the Bitcoin blockchain.

In contrast to the simple C&C setups based on static/hard coded IP addresses that provide an easy way to defend against this type of attack.


Indicators of Compromise:

Hidden C&C servers


Redaman samples












Bitcoin wallet

1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ – The wallet is not recognized as malicious in any blockchain databases but Check Point incriminates it.




  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks