Pony’s C&C servers hidden inside the Bitcoin blockchainOctober 17, 2019
Research by: Kobi Eisenkraft, Arie Olshtein
Redaman is a form of banking malware distributed by phishing campaigns that target mostly Russia language speakers. First seen in 2015 and reported as the RTM banking Trojan, new versions of Redaman appeared in 2017 and 2018. In September 2019, Check Point researchers identified a new version that hides Pony C&C server IP addresses inside the Bitcoin blockchain.
In the past we have seen others techniques that used Bitcoin blockchain to hide their C&C server IP address, but in this blog we will share an analysis of the new technique.
The malware connects to Bitcoin blockchain and chaining transactions in order to find the hidden C&C server, we called this new technique Chaining.
How the attacker hides the C&C servers in Bitcoin blockchain
In this real example the attacker wants to hide IP 184.108.40.206
In order to do this, the attacker uses wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ :
1. The attacker converts each octet of the IP address from decimal to hexadecimal: 220.127.116.11 => B9.CB.74.2F
2. The attacker takes the first 2 octets, B9 and CB and combines them in opposite order B9.CB => CBB9
3. The attacker then converts back from hexadecimal to decimal, CBB9 ==> 52153.
- 0.00052153 BTC (about 4$) is the first transaction he will do to the 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ wallet
4. The attacker takes the last 2 octets, 74 and 2F and combines them in opposite order 74.2F => 2F74
5. The attacker converts back from hexadecimal to decimal, 2F74==> 12148.
- 0.00012148 BTC (about 1$) is the second transaction he will do to the 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ wallet
Figure 1 – Related transactions with amounts of 0.00052153 and 0.00012148 BTC https://www.blockchain.com/btc/address/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ?sort=0
How Redaman malware reveals the dynamic hidden C&C server IP
Redaman does the opposite to the algorithm described above.
2. It takes the values of the last two payment transactions to Bitcoin wallets 52153 and 12148.
3. Converts the Decimal values from the transactions to Hexadecimal 52153==>CBB9 and 12148==>2F74.
4. Splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal. B9==>185, CB==>203, 74==>116, 2F==>47
5. These values together combine the IP address of the hidden C&C server IP 18.104.22.168.
Figure 2 – The actual code that calculate the C&C server IP, you can see in “Dump 1” the hexadecimal values of the C&C server IP: B9 CB 74 2F (22.214.171.124)
Figure 3 – Json response that include the hidden C&C server IP
In this blog, we described how Redaman has become more effective by hiding dynamic C&C server addresses inside the Bitcoin blockchain.
In contrast to the simple C&C setups based on static/hard coded IP addresses that provide an easy way to defend against this type of attack.
Indicators of Compromise:
Hidden C&C servers
1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ – The wallet is not recognized as malicious in any blockchain databases but Check Point incriminates it.