## How Did the Adversaries Abusing Bitcoin Blockchain Evade Our Takeover ###### Tsuyoshi Taniguchi Christian Doerr ----- #### A Game Of Cat And Mouse: Malware Evolves When Detection Is Good Enough ----- #### A Game Of Cat And Mouse: Malware Evolves When Detection Is Good Enough ----- #### Three Main Angles for Today’s Mitigation ###### Option 1: Predict the domain names and stop them malicious.com q8a3da.com C&C IP NXDomain DNS server Option 2: Detect lookup patterns, especially NXDomains Option 3: Locate and seize the ----- #### Who Are We ###### Tsuyoshi Taniguchi, Ph.D. Harm Griffioen Christian Doerr, Ph.D. Researcher PhD Candidate Professor Cybersecurity + Enterprise Security Fujitsu System Integration Laboratories Hasso Plattner Institute for Digital Engineering Hasso Plattner Institute for Digital Engineering ----- #### Advertising C&C Information via the Blockchain ###### Signaling wallet Fetch the last two payments from a specific bitcoin wallet C&C server 142 93 0 206 ----- #### Three Main Angles for Yesterday’s Mitigation ###### This latest criminal evolution is a significant problem for cyber defense. Option 1: Predict the domain names and stop them There is nothing to predict anymore. # x ###### Nobody can remove transactions from the blockchain. 142.93.0.206 Blockchain Option 2: Detect lookup patterns, especially NXDomainsx Some hide behind TOR gateway. No DNS lookups to unusual sites. Never any NXDomains Option 3: Locate and seize the # x ----- #### Criminals Continuously Experimented & Improved ###### During our 12 month observation, the attackers went through many rounds of redesign and continuous improvement. Let’s look at two, for a full discussion refer to our report. ----- #### Why? The Blockchain is not Predictable ###### Attacker signals new IP 142.93 + 0.206 Previous transaction on the blockchain: Client queries blockchain: 67.205 + C&C @ 0.206 + 142.93 148.45 Incorrect order! time ----- #### Why? The Blockchain is not Predictable ###### How do you get payments to be confirmed as quickly as Attacker signals new IP possible and in the right order? 142.93 + 0.206 Previous transaction on the blockchain: Client queries blockchain: 67.205 + C&C @ 0.206 + 142.93 148.45 Incorrect order! time ----- #### Higher Fees, More Incentive for Miners = Better Control over Your Transactions ###### Source: bitcoinwiki.org ----- #### Avoiding High Transaction Fees ###### Bitcoin halving -> Fees soared Jan. 2021 Aug. 2019 Mar. 2020 May 2020 Aug. 2020 Adversaries shifted their activities into the night to benefit from lower transaction volume and cheaper fees ----- |Confirmed time Ti|Col2|Col3| |---|---|---| |||| #### Experimenting with Transactions ###### • Time lag: the first and second transactions in different blocks • Fee order: the first and second transactions in the same block second C&C update transaction completion first transaction 10 minutes Confirmed time Time lag Time lag ----- #### Experimenting with Transactions ###### • Time lag: the first and second transactions in different blocks • Fee order: the first and second transactions in the same block C&C update first second completion Transactions in the same block and in the correct order Fee order ----- #### Experimenting with Transactions ###### Over 2 hours downtime Fee order: Same Block Time lag: Different Fees Different Blocks Same Fee Jan. 2021 ----- #### Malware Takeover by Sending BTC to the Wallet ###### Although ingenious, the blockchain C&C contained a mistake: Signaling is done based on receiving money, not sending it. Ours Ours Our sinkhole server “Shutdown infection” C&C ----- #### Takeover and Adversarial Evasion ###### Aug. 14 3:37, 3:47: 142.93.0[.]206 Takeover 1: Aug. 14 6:18, 6:23: 34.67.67.23 Downtime 2 days Aug. 16 10:12, 10:12: 142.93.0[.]206 Aug. 17 5:46, 5:48: 142.93.0[.]206 Takeover 2: Aug. 17 6:45, 6:47: 34.67.67.23 Adversaries noticed Aug. 17 13:54, 14:10: 142.93.0[.]206 and reset C&C Aug. 17 14:20, 14:26: 142.93.0[.]206 Takeover 3: Aug. 19 7:02, 7:02: 34.67.67.23 Adversaries stopped their malicious activity ----- #### Takeover and Adversarial Evasion ###### Aug. 14 3:37, 3:47: 142.93.0[.]206 Takeover 1: Aug. 14 6:18, 6:23: 34.67.67.23 Downtime 2 days Aug. 16 10:12, 10:12: 142.93.0[.]206 Aug. 17 5:46, 5:48: 142.93.0[.]206 Takeover 2: Aug. 17 6:45, 6:47: 34.67.67.23 Adversaries noticed Aug. 17 13:54, 14:10: 142.93.0[.]206 and reset C&C Aug. 17 14:20, 14:26: 142.93.0[.]206 Takeover 3: Adversaries stopped Aug. 19 7:02, 7:02: 34.67.67.23 their malicious activity But this was only a suspension... Adversaries redesigned their C&C mechanism ----- #### Takeover and Adversarial Evasion ###### Aug. 14 3:37, 3:47: 142.93.0[.]206 Takeover 1: Aug. 14 6:18, 6:23: 34.67.67.23 Downtime 2 days Aug. 16 10:12, 10:12: 142.93.0[.]206 Takeover 2: What did we accomplish? Aug. 17 5:46, 5:48: 142.93.0[.]206 Adversaries 3 takeovers Aug. 17 6:45, 6:47: 34.67.67.23 noticed and malware offline for 17 days Aug. 17 13:54, 14:10: 142.93.0[.]206 reset C&C prevented 2 million USD Aug. 17 14:20, 14:26: 142.93.0[.]206 in damages Takeover 3: Aug. 19 7:02, 7:02: 34.67.67.23 Adversaries stopped their malicious activity But this was only a suspension... Adversaries redesigned their C&C mechanism ----- ### How Did the Adversaries Evade our Takeover? ###### Incoming but anyone can transaction send BTC and no Sending wallet encodes the one can prevent IP Signaling wallet Our wallet 1N94r C&C IP 1BkeG this... ----- ### How Did the Adversaries Evade our Takeover? ###### The simple fix was rolled out in malware samples from Outgoing September 1 onwards transaction IP Signaling wallet encodes the Disposable wallet 1N94r 1BkeG C&C IP Clients are programmed to watch a bitcoin wallet for outgoing transactions ----- ### How Did the Adversaries Evade our Takeover? ###### The simple fix was rolled out in malware samples from Outgoing September 1 onwards transaction IP Signaling wallet encodes the Disposable wallet but they eventually gave up. 1N94r 1BkeG C&C IP Our takeovers: Last update: Aug. 14 - 19, 2020 Jan. 13[th], 2021 The first C&C IP: Clients are programmed to Aug. 28[th], 2019 watch a bitcoin wallet for outgoing transactions ----- #### Concluding Remarks and Takeaways ###### • Blockchain-based C&C is the next step in a long evaluation of criminal TTPs, but it will be very difficult to mitigate this technique in the future • We could study how the adversaries experimented, learned and improved their TTPs over time, and traded off performance with how much they had to pay for it • A simple design mistake allowed us to takeover their operation until they redesigned, but eventually they dropped their use of the Bitcoin blockchain for C&C coordination • This mechanism was ingenious, however, vulnerable to Bitcoin (fees) surge which cut their profit, as the result, they gave up when the cost was not worth it • After evading our takeover, we could track their malicious activity by monitoring Bitcoin behavior ----- #### Citation ##### 1. Pletinckx, Trap and Doerr, Malware Coordination using the Blockchain: An ###### Analysis of the Cerber Ransomware, IEEE Conference on Communications and Network Security 2018, https://www.cyber-threat- intelligence.com/publications/CNS2018-Cerber.pdf ##### 2. Taniguchi, Griffioen and Doerr, Analysis and Takeover of the Bitcoin- ###### Coordinated Pony Malware, AsiaCCS 2021, download: https://www.cyber- threat-intelligence.com/publications/AsiaCCS2021-pony.pdf ##### 3. Pony’s C&C servers hidden inside the Bitcoin blockchain, ###### https://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the- bitcoin-blockchain/ ##### 4. Metabase, https://www.metabase.com/ 5. Inside look at lifecycle of stolen credentials and extent of data breach ###### damage https://www helpnetsecurity com/2018/07/19/credential-spill- -----