A new botnet known as Orchard has been seen creating domain names to hide its command-and-control (C2) infrastructure using Satoshi Nakamoto’s account transaction data.
According to researchers from Qihoo 360’s Netlab security team, “because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than utilizing the usual time-generated [domain creation algorithms] and therefore more difficult to protect against.”
Since February 2021, Orchard is believed to have undergone three upgrades. The botnet’s main functions are to install new payloads on victims’ computers and carry out C2 server commands.
Additionally, it is intended to upload user and device data and infect USB storage devices in order to spread the malware. According to Netlab’s study, the malware has so far held over 3,000 hosts, most of them in China, as slaves.
Significant updates have also been made to Orchard in the past year, including one that involved a brief experiment with Golang for its implementation before returning to C++ in the third iteration.
In addition, the most recent version includes tools for starting the XMRig mining programme, which exploits the compromised system’s resources to produce Monero (XMR). The DGA algorithm used in the attacks has undergone another update.
The more recent variant uses balance data received from the bitcoin wallet address “1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa,” whereas the first two variants just rely on date strings to build the domain names. It’s important to note that the wallet address is the address used to receive miner rewards for the Bitcoin Genesis Block, which happened on January 3, 2009, and is thought to belong to Nakamoto.
The balance data for this wallet can also be used as DGA input, according to the researchers. “Over the past decade or so, little amounts of bitcoin have been sent to this wallet on a regular basis for various reasons, thus it is changeable and that change is difficult to predict,” they wrote.
The discoveries come as researchers revealed RapperBot, a newly discovered IoT botnet virus that has been seen brute-forcing SSH servers in an effort to launch distributed denial-of-service (DDoS) assaults.