How Did the Adversaries Abusing the Bitcoin Blockchain Evade Our Takeover?

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 1:30 p.m. (30 minutes)

<div><span>Cyber security has been a game of cat-and-mouse. In the past, we have seen the malware ecosystem adopt concepts such as code obfuscation, polymorphism, domain-generation algorithms (DGAs), as well as virtual machine and sandbox evasion whenever defenses were able to perform consistent and pervasive suppression of these threats.</span></div><div><span><br><br></span></div><div><span>Some adversaries have recently started to use the Bitcoin blockchain for communicating command & control (C&C) information. As no one can block or remove transactions from the blockchain once the transactions are confirmed by miners, this means that adversaries do not have to fear that transactions with their C&C location are taken down. This latest innovation in malware tactics, techniques, and procedures (TTPs) means that existing common defenses such as DGA precomputation or sinkhole domains no longer work.</span></div><div><span><br><br></span></div><div><span>We have monitored the malicious activity by one of the malware authors abusing Bitcoin blockchain for hiding their C&C location for over one year from mid-2019. During our monitoring, they repeatedly conducted trial-and-error and evolved TTPs since they did not understand the best solution to this new attack. Based on the insights from the observation, we realized temporal takeover of the IP address which malware communicates to from the adversary's C&C server to our sinkhole server. However, they implemented the evasive mechanism against our takeover. In this presentation, we will provide the audience with the way of analyzing Bitcoin and C&C operation, searching malware samples that communicate to the C&C IPs from transactions in the blockchain, and detecting the change of TTPs based on our experience of confrontation with the actual adversaries. In addition, we will show both our takeover and the evasive mechanism by the adversaries. Since transactions in the blockchain are open data, the audience will be able to deep dive into the malicious behavior soon after our presentation.</span></div>

Presenters:

  • Christian Doerr - Professor, Hasso Plattner Institute for Digital Engineering
    Christian Doerr is Professor of Cyber Security and Enterprise Security at the Hasso Plattner Institute in Potsdam, Germany. He and his team focus on network security, cyber threat intelligence, and situational awareness, as well as strategies to apply technological security controls effectively within organizations.
  • Tsuyoshi Taniguchi - Researcher, Fujitsu System Integration Laboratories, Ltd.
    Tsuyoshi Taniguchi is a researcher of Fujitsu System Integration Laboratories, Ltd. His research focuses on analyzing malicious behavior based on threat intelligence and domain name system. Prior to joining Fujitsu, he got his PhD in computer science from the Graduate School of Information Science and Technology, University of Hokkaido.

Links:

Similar Presentations: