Sign up for our newsletter
Technology / Cybersecurity

This Malware is Hiding C&C Server IPs in the Blockchain

A new strain of the banking malware Redaman is hiding dynamic command and control (C&C) server IP addresses inside the Bitcoin blockchain, researchers at Checkpoint say.

Redaman is banking malware that mostly targets Russian speakers. It was first seen in 2015. Its creators have a track record of using innovative techniques to avoid detection.

The malware typically delivers its payloads via a “rotating assortment of archived Windows executable files disguised as PDF documents, according to analysis by Palo Alto Networks earlier this year.

Once downloaded, as Threatpost notes, it is capable of

White papers from our partners

  • Keylogging activity
  • Capturing screen shots
  • Exfiltrating financial data
  • Altering DNS configuration
  • Terminating running processes
  • Adding certificates to the Windows store

Redaman Malware Using Blockchain  

Interestingly, and in what appears to be a growing trend, the latest Redman version hides the dynamic IP address of its C&C server by converting each octet of the IP address from decimal to hexadecimal:, e.g. 185.203.116.47 => B9.CB.74.2F, scrambling the latter, then hiding it in the form of a small payment to their own Bitcoin wallet.

To reveal the C&C address, Redaman send a GET request to get the last ten transactions on the hard coded Bitcoin wallet; it takes the values of the last two payment transactions to Bitcoin wallets, converts the Decimal values from the transactions to Hexadecimal; splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal; these values together combine the IP address of the hidden C&C server.

The malware’s not the first to use Blockchain to hide C&C infrastructure: Trend Micro researchers identified the Glupteba malware as also updating its C&C server address through the blockchain via the function discoverDomain.

As they noted in September: “The discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper. DiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash.”

In most other respects Redaman, meanwhile, is a typical banking trojan.

Checkpoint warns users to look out for Bitcoin wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ, which is “not recognised as malicious in any blockchain databases”.
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.