View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 18, 2019

This Malware is Hiding C&C Server IPs in the Blockchain

Latest malware to hide C&C in Blockchain wallets

By CBR Staff Writer

A new strain of the banking malware Redaman is hiding dynamic command and control (C&C) server IP addresses inside the Bitcoin blockchain, researchers at Checkpoint say.

Redaman is banking malware that mostly targets Russian speakers. It was first seen in 2015. Its creators have a track record of using innovative techniques to avoid detection.

The malware typically delivers its payloads via a “rotating assortment of archived Windows executable files disguised as PDF documents, according to analysis by Palo Alto Networks earlier this year.

Once downloaded, as Threatpost notes, it is capable of

  • Keylogging activity
  • Capturing screen shots
  • Exfiltrating financial data
  • Altering DNS configuration
  • Terminating running processes
  • Adding certificates to the Windows store

Redaman Malware Using Blockchain  

Interestingly, and in what appears to be a growing trend, the latest Redman version hides the dynamic IP address of its C&C server by converting each octet of the IP address from decimal to hexadecimal:, e.g. 185.203.116.47 => B9.CB.74.2F, scrambling the latter, then hiding it in the form of a small payment to their own Bitcoin wallet.

To reveal the C&C address, Redaman send a GET request to get the last ten transactions on the hard coded Bitcoin wallet; it takes the values of the last two payment transactions to Bitcoin wallets, converts the Decimal values from the transactions to Hexadecimal; splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal; these values together combine the IP address of the hidden C&C server.

The malware’s not the first to use Blockchain to hide C&C infrastructure: Trend Micro researchers identified the Glupteba malware as also updating its C&C server address through the blockchain via the function discoverDomain.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

As they noted in September: “The discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper. DiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash.”

In most other respects Redaman, meanwhile, is a typical banking trojan.

Checkpoint warns users to look out for Bitcoin wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ, which is “not recognised as malicious in any blockchain databases”.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU