Cyber criminals are increasingly using blockchain domains to support malicious infrastructure, FireEye claimed this week.
Traditional methods to conceal such infrastructure used to host additional payloads, store stolen data, and/or function as command and control (C2) servers – including bulletproof hosting, fast-flux, Tor infrastructure, and/or domain generation algorithms (DGAs) – are increasingly being augmented by the use of Namecoin domains, the California-headquartered cybersecurity company said.
Namecoin is a cryptocurrency based on the Bitcoin code that is used to register and manage domain names with the top-level domain (TLD) .bit. Everyone who registers a Namecoin domain is essentially their own domain registrar; however, domain registration is not associated with an individual’s name or address.
As Namecoin is decentralized, with no central authority managing the network, domains registered with Namecoin are resistant to being hijacked or shut down. Rather, domain ownership is based on the unique encrypted hash of each user. This essentially creates the same anonymous system as Bitcoin for internet infrastructure, in which users are only known through their cryptographic identity.
Namecoin says: “Domain names and identities are applications that are near the upper limit of the scale that Namecoin can handle. For example, misusing the Namecoin blockchain as a decentralized file storage is not feasible. There are several other decentralized systems that serve this purpose way more efficiently. In many cases, if you want to store data that is larger than 520 bytes, or that is updated very often, you may prefer to only store a content hash or a public key in the blockchain, along with information on where to get the full data. The full data can then be authenticated using Namecoin as a trust anchor without storing the entire data in Namecoin. An example of this usage is the ability to delegate .bit domain names to an external DNSSEC nameserver, authenticated by a DS record in the blockchain.”
FireEye wrote: “Many [malicious actors] have configured their malware to query their own privately managed Namecoin-compatible OpenNIC DNS, or to query other compatible servers they’ve purchased through underground infrastructure offerings. Bulletproof hosting providers, such as Group 4, have capitalized on the increased demand for .bit domains by adding support to allow malicious actors to query compatible servers.”
The company added: “Malware families that we have observed using Namecoin domains as part of their C2 infrastructure include:
- Necurs
- AZORult
- Neutrino (aka Kasidet, MWZLesson)
- Corebot
- SNATCH
- Coala DDoS
- CHESSYLITE
- Emotet
- Terdot
- Gandcrab Ransomware
- SmokeLoader (aka Dofoil)
Based on our analysis of samples configured to used .bit, the following methods are commonly used by malware families to connect to these domains:
- Query hard-coded OpenNIC IP address(es)
- Query hard-coded DNS server(s)
The security team behind the blog concluded: “Due to the decentralized and replicated nature of a blockchain, law enforcement takedowns of a malicious domain would likely require that the entire blockchain be shut down – something that is unfeasible to do as many legitimate services run on these blockchains.”
The added: “If law enforcement agencies can identify the individual(s) managing specific malicious blockchain domains, the potential for these takedowns could occur; however, the likelihood for this to happen is heavily reliant on the operational security level maintained by the eCrime actors. Further, as cyber criminals continue to develop methods of infrastructure obfuscation and protection, blockchain domain takedowns will continue to prove difficult.”
Full analysis and samples can be found on FireEye’s blog here.