Interestingly, and in what appears to be a growing trend, the latest Redman version hides the dynamic IP address of its C&C server by converting each octet of the IP address from decimal to hexadecimal:, e.g. 220.127.116.11 => B9.CB.74.2F, scrambling the latter, then hiding it in the form of a small payment to their own Bitcoin wallet.
To reveal the C&C address, Redaman send a GET request to get the last ten transactions on the hard coded Bitcoin wallet; it takes the values of the last two payment transactions to Bitcoin wallets, converts the Decimal values from the transactions to Hexadecimal; splits the Hexadecimal value to low and high bytes, changes the order and converts them back to decimal; these values together combine the IP address of the hidden C&C server.
The malware’s not the first to use Blockchain to hide C&C infrastructure: Trend Micro researchers identified the Glupteba malware as also updating its C&C server address through the blockchain via the function discoverDomain.
As they noted in September: “The discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper. DiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash.”
In most other respects Redaman, meanwhile, is a typical banking trojan.
Checkpoint warns users to look out for Bitcoin wallet 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ, which is “not recognised as malicious in any blockchain databases”.
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.