A quieter week in blockchain security where we can deep dive into several interesting research articles. Check out the novel malware communication channel using Bitcoin’s OP_RETURN transactions to embed updated C2 servers, security considerations in the upcoming Ethereum Istanbul hard fork, detailed steps on executing hardware wallet side-channel attacks, and Bitcoin QR code scams.
Malware
Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions - a malware analysis report and Appendix on the older Glupteba family targeting Windows hosts and vulnerable MikroTik routers to miner Monero, steal credentials, and proxy malicious traffic. In addition to more traditional HTTP-based C2 communication, Glupteba can locate an updated C2 server name hidden inside Bitcoin OP_RETURN transactions sent by a hard-coded Bitcoin address. Normally this type of transactions is used to embed arbitrary binary data on the blockchain which also makes it a great place to embed C2 commands. Malware also uses a publicly available Electrum node list to communicate with the Bitcoin network.
Indicators:
C2 Bitcoin address (follow the tx chain):
15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6
C2 Hosts:
5[.]9[.]157[.]50
keepmusic[.]xyz
playfire[.]online
venoxcontrol[.]com
okonewacon[.]com
blackempirebuild[.]com
bigtext[.]club
clubhouse[.]site
nxtfdata[.]xyz
lienews[.]world
phonemus[.]net
takebad1[.]com
Research
Stop Using Solidity's transfer() Now - the article covers the security implications of the upcoming Istanbul hard fork and EIP 1884 related to transfer() and send() functions. The decrease in Gas cost of these instructions may be just enough to pay for a reentrant call in the future. The article outlines several safe patterns to defend against future instruct gas cost changes.
Using TensorFlow / machine learning for automated RF side-channel attack classification - a detailed research article into the machine learning and side-channel set up used to attack Ledger Blue hardware wallets.
QR Code Degenerators: Unmasking a Crypto Scam - a research into online QR generators found that 4 out of 5 top Google search results were scams which embedded malicious addresses instead of the intended ones.
Indicators:
Malicious QR Generators:
hxxps://bitcoinqrcodegenerator[.]net/
hxxps://btcfrog[.]com/
hxxps://bitcoin-qr-code[.]net
hxxps://mybitcoinqrcode[.]com/
Scammer Bitcoin Addresses:
17bCMmLmWayKGCH678cHQETJFjhBR44Hjx
14ZGdFRaCN8wkNrHpiYLygipcLoGfvUAtg
35mJx4EeEY7Lnkxvg1Swn1eSUN1TtQsQ3
bc1qs4hcuqcv4e5lcd43f4jsvyx206nzkh4az05nds
1KrHRyK9TKNU4eR5nhJdTV6rmBpmuU3dGw
1Gg9VZe1E4XTLsmrTnB72QrsiHXKbcmBRXAnalysis of bouncing attack on FFG - details of the attack which may cause liveness failure on the upcoming in the Ethereum Casper FFG protocol. Also, check out the related Prevention of bouncing attack on FFG article with a proposed fix.
Stay safe and see you all in the next edition of blockchain threat intelligence newsletter?
Protect Your Crypto
Buy a hardware wallet:
Support the newsletter
BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240
| 1 |