New Orchard Botnet Uses Bitcoin Founder’s Account Info To Generate Malicious Domains
Researchers observed a new Orchard botnet using Bitcoin creator Satoshi Nakamoto’s account transaction information to generate domain names to conceal its command-and-control (C2) infrastructure.
Orchard Botnet Poses More Threats
Researchers explained that, due to the uncertainty of Bitcoin transactions, this scheme is more unpredictable than using the common time-generated domain generation algorithms, and therefore more problematic to defend against.
Orchard has undergone three revisions since February 2021. Nonetheless, the botnet primarily deploys additional payloads onto a victim’s machine and executes commands received from the C2 server.
It also uploads device and user information as well as infects USB storage devices to propagate the malware. Netlab’s analysis shows that over 3,000 are victims of the malware, with China recording the highest numbers.
Nonetheless, Orchard has gone through numerous updates over the past year. One update entails a brief tryst with Golang for its implementation, before switching back to C++ in its third iteration.
Importantly, the latest version integrates features to launch an XMRig mining program to mint Monero (XMR) by abusing the compromised system’s resources. Another change relates to the use of the DGA algorithm employed in the attacks. Meanwhile, the first two variants entirely rely on data strings to generate the domain names.
The newer version uses balance information obtained from the cryptocurrency wallet address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa. The wallet address is the miner reward receiving address of the Bitcoin Genesis Block, which occurred on January 3, 2009, and is believed to be held by Nakamoto.
Variables in Wallet Address
The researchers said that over the past decade or so, the wallet received small amounts of bitcoin daily for various reasons. Therefore, it is variable and it is hard to predict any change so as to use the balance information for this wallet for DGA input.
The findings come as they took the wraps off a nascent IoT botnet malware codenamed RapperBot. RapperBot brute-forced SSH servers to potentially carry out distributed denial-of-service (DDoS) attacks.