A quieter week in blockchain security where we can deep dive into several interesting research articles. Check out the novel malware communication channel using Bitcoin’s OP_RETURN transactions to embed updated C2 servers, security considerations in the upcoming Ethereum Istanbul hard fork, detailed steps on executing hardware wallet side-channel attacks, and Bitcoin QR code scams.
Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions - a malware analysis report and Appendix on the older Glupteba family targeting Windows hosts and vulnerable MikroTik routers to miner Monero, steal credentials, and proxy malicious traffic. In addition to more traditional HTTP-based C2 communication, Glupteba can locate an updated C2 server name hidden inside Bitcoin OP_RETURN transactions sent by a hard-coded Bitcoin address. Normally this type of transactions is used to embed arbitrary binary data on the blockchain which also makes it a great place to embed C2 commands. Malware also uses a publicly available Electrum node list to communicate with the Bitcoin network.
C2 Bitcoin address (follow the tx chain):
Stop Using Solidity's transfer() Now - the article covers the security implications of the upcoming Istanbul hard fork and EIP 1884 related to transfer() and send() functions. The decrease in Gas cost of these instructions may be just enough to pay for a reentrant call in the future. The article outlines several safe patterns to defend against future instruct gas cost changes.
Using TensorFlow / machine learning for automated RF side-channel attack classification - a detailed research article into the machine learning and side-channel set up used to attack Ledger Blue hardware wallets.
QR Code Degenerators: Unmasking a Crypto Scam - a research into online QR generators found that 4 out of 5 top Google search results were scams which embedded malicious addresses instead of the intended ones.
Malicious QR Generators:
Scammer Bitcoin Addresses:
Analysis of bouncing attack on FFG - details of the attack which may cause liveness failure on the upcoming in the Ethereum Casper FFG protocol. Also, check out the related Prevention of bouncing attack on FFG article with a proposed fix.
Stay safe and see you all in the next edition of blockchain threat intelligence newsletter?
Protect Your Crypto
Buy a hardware wallet:
Support the newsletter