Analyze the Pony C&C server hidden in the Bitcoin blockchain

Category: Tags: ,

Redaman is a banking malware spread through phishing attacks, and its main target users are Russian users. The malware first appeared in 2015, when the malware was called the RTM banking Trojan, and the new version of Redaman appeared between 2017 and 2018. In September 2019, Check Point’s security researchers discovered an updated version that hides the IP address of a small C&C server in the Bitcoin blockchain.

In fact, we have seen many other technologies that use the Bitcoin blockchain to hide their C&C server IP addresses, but in this article, we will analyze a new type of hiding technology-“Chaining” .

How can an attacker hide the C&C server in the Bitcoin blockchain?
In this real analysis sample, the IP address that the attacker wants to hide is “185.203.116.47”.

In order to achieve this goal, the attacker needs to use a wallet address: 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ

1. The attacker needs to convert each octet in the IP address from decimal to hexadecimal:

185.203.116.47 => B9.CB.74.2F

2. The attacker obtains the first two octets, namely B9 and CB, and then merges them in reverse into:

B9.CB => CBB9

3. Next, the attacker converts them from hexadecimal back to decimal:

CBB9 ==> 52153

Then, the attacker needs to perform the first transaction operation to trade 0.00052153 Bitcoin (approximately US$4) to the target wallet address:

1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ

4. The attacker obtains the last two octets. 74 and 2F, and then merge the two of them in reverse into:

74.2F => 2F74

5. The attacker converts them from hexadecimal back to decimal:

2F74==> 12148

Then, the attacker needs to perform a second transaction operation to trade 0.00012148 Bitcoin (approximately 1 USD) to the target wallet address:

1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ

How does the Redaman malware obtain the dynamically hidden IP address of the C&C server?
Redaman will perform reverse calculations based on the algorithm described above and obtain the hidden IP address.

1. Redaman will first send a GET request to obtain the last ten transaction records of the hard-coded Bitcoin wallet address 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ. The request is as follows:

https://api.blockcypher.com/v1/btc/main/addrs/1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ?limit=10

2. The attacker will obtain the last two payment transaction records of Bitcoin wallets 52153 and 12148.

3. Convert the decimal value of the transaction to hexadecimal:

52153==>CBB9和12148==>2F74

4. Cut the hexadecimal value into high byte and low byte, modify the byte order and convert back to decimal:

B9==>185, CB==>203, 74==>116, 2F==>47

5. Finally, merge these values into the hidden C&C server IP address:

185.203.116.47

 

 

To sum up
In this article, we introduced how Redaman efficiently hides the IP address of the dynamic C&C server in the Bitcoin blockchain. Compared with previous methods of setting up C&C servers based on hard-coded or statically coded IP addresses, this technology is more difficult to detect and defend.

Intrusion threat indicator IoC
C&C server address

Redaman sample

cf9c74ed67a4fbe89ab77643f3acbd98b14d5568

c098dc7c06e0da8f6e2551f262375713ba87ca05

3933f8309824a9127dde97b9c0f5459b06fd6c13

817bd8fff5b026ba74852955eb5f84244a92e098

51c7a774a0616b4611966d6d4f783c1164c9fa50

44b6627acd5b2c601443c55d2e44ae4298381720

d9fb2504008345af97b0e400706cdaa406476314

bbdce69acc6101c1f61748c91010c579625ef758

3f2b758122c0d180ccfba03b74b593854f2b0e86

9d7b264367320da38c94be1f940c663375d67a2a

Bitcoin wallet address

1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ

 

Reviews

There are no reviews yet.

Be the first to review “Analyze the Pony C&C server hidden in the Bitcoin blockchain”

Your email address will not be published. Required fields are marked *