A new strain of the banking malware Redaman is hiding dynamic command and control (C&C) server IP addresses inside the Bitcoin blockchain, researchers at Checkpoint say.
Redaman is banking malware that mostly targets Russian speakers. It was first seen in 2015. Its creators have a track record of using innovative techniques to avoid detection.
The malware typically delivers its payloads via a “rotating assortment of archived Windows executable files disguised as PDF documents, according to analysis by Palo Alto Networks earlier this year.
Once downloaded, as Threatpost notes, it is capable of
- Keylogging activity
- Capturing screen shots
- Exfiltrating financial data
- Altering DNS configuration
- Terminating running processes
- Adding certificates to the Windows store
Redaman Malware Using Blockchain
Interestingly, and in what appears to be a growing trend, the latest Redman version hides the dynamic IP address of its C&C server by converting each octet of the IP address from decimal to hexadecimal:, e.g. 185.203.116.47 => B9.CB.74.2F, scrambling the latter, then hiding it in the form of a small payment to their own Bitcoin wallet.
To reveal the C&C address, Redaman send a GET request to get the last ten transactions on the hard coded Bitcoin wallet; it takes the values of the last two payment transactions to Bitcoin wallets, converts the Decimal values from the transactions to Hexadecimal; splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal; these values together combine the IP address of the hidden C&C server.
The malware’s not the first to use Blockchain to hide C&C infrastructure: Trend Micro researchers identified the Glupteba malware as also updating its C&C server address through the blockchain via the function discoverDomain.
As they noted in September: “The discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper. DiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash.”
In most other respects Redaman, meanwhile, is a typical banking trojan.
Checkpoint warns users to look out for Bitcoin wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ, which is “not recognised as malicious in any blockchain databases”.