A new strain of the banking malware Redaman is hiding dynamic command and control (C&C) server IP addresses inside the Bitcoin blockchain, researchers at Checkpoint say.

Redaman is banking malware that mostly targets Russian speakers. It was first seen in 2015. Its creators have a track record of using innovative techniques to avoid detection.

The malware typically delivers its payloads via a “rotating assortment of archived Windows executable files disguised as PDF documents, according to analysis by Palo Alto Networks earlier this year.

Once downloaded, as Threatpost notes, it is capable of

  • Keylogging activity
  • Capturing screen shots
  • Exfiltrating financial data
  • Altering DNS configuration
  • Terminating running processes
  • Adding certificates to the Windows store

Redaman Malware Using Blockchain  

Interestingly, and in what appears to be a growing trend, the latest Redman version hides the dynamic IP address of its C&C server by converting each octet of the IP address from decimal to hexadecimal:, e.g. 185.203.116.47 => B9.CB.74.2F, scrambling the latter, then hiding it in the form of a small payment to their own Bitcoin wallet.

To reveal the C&C address, Redaman send a GET request to get the last ten transactions on the hard coded Bitcoin wallet; it takes the values of the last two payment transactions to Bitcoin wallets, converts the Decimal values from the transactions to Hexadecimal; splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal; these values together combine the IP address of the hidden C&C server.

The malware’s not the first to use Blockchain to hide C&C infrastructure: Trend Micro researchers identified the Glupteba malware as also updating its C&C server address through the blockchain via the function discoverDomain.

As they noted in September: “The discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper. DiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash.”

In most other respects Redaman, meanwhile, is a typical banking trojan.

Checkpoint warns users to look out for Bitcoin wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ, which is “not recognised as malicious in any blockchain databases”.