Redaman is a banking malware spread through phishing attacks, and its main target users are Russian users. The malware first appeared in 2015, when the malware was called the RTM banking Trojan, and the new version of Redaman appeared between 2017 and 2018. In September 2019, Check Point’s security researchers discovered an updated version that hides the IP address of a small C&C server in the Bitcoin blockchain.
In fact, we have seen many other technologies that use the Bitcoin blockchain to hide their C&C server IP addresses, but in this article, we will analyze a new type of hiding technology-“Chaining” .
How can an attacker hide the C&C server in the Bitcoin blockchain?
In this real analysis sample, the IP address that the attacker wants to hide is “220.127.116.11”.
In order to achieve this goal, the attacker needs to use a wallet address: 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ
1. The attacker needs to convert each octet in the IP address from decimal to hexadecimal:
18.104.22.168 => B9.CB.74.2F
2. The attacker obtains the first two octets, namely B9 and CB, and then merges them in reverse into:
B9.CB => CBB9
3. Next, the attacker converts them from hexadecimal back to decimal:
CBB9 ==> 52153
Then, the attacker needs to perform the first transaction operation to trade 0.00052153 Bitcoin (approximately US$4) to the target wallet address:
4. The attacker obtains the last two octets. 74 and 2F, and then merge the two of them in reverse into:
74.2F => 2F74
5. The attacker converts them from hexadecimal back to decimal:
Then, the attacker needs to perform a second transaction operation to trade 0.00012148 Bitcoin (approximately 1 USD) to the target wallet address:
How does the Redaman malware obtain the dynamically hidden IP address of the C&C server?
Redaman will perform reverse calculations based on the algorithm described above and obtain the hidden IP address.
1. Redaman will first send a GET request to obtain the last ten transaction records of the hard-coded Bitcoin wallet address 1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ. The request is as follows:
2. The attacker will obtain the last two payment transaction records of Bitcoin wallets 52153 and 12148.
3. Convert the decimal value of the transaction to hexadecimal:
4. Cut the hexadecimal value into high byte and low byte, modify the byte order and convert back to decimal:
B9==>185, CB==>203, 74==>116, 2F==>47
5. Finally, merge these values into the hidden C&C server IP address:
To sum up
In this article, we introduced how Redaman efficiently hides the IP address of the dynamic C&C server in the Bitcoin blockchain. Compared with previous methods of setting up C&C servers based on hard-coded or statically coded IP addresses, this technology is more difficult to detect and defend.
Intrusion threat indicator IoC
C&C server address
Bitcoin wallet address