Week 36, 2019

Gluteba | Istanbul | QR | Side-Channel

A quieter week in blockchain security where we can deep dive into several interesting research articles. Check out the novel malware communication channel using Bitcoin’s OP_RETURN transactions to embed updated C2 servers, security considerations in the upcoming Ethereum Istanbul hard fork, detailed steps on executing hardware wallet side-channel attacks, and Bitcoin QR code scams.

Malware

  • Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions - a malware analysis report and Appendix on the older Glupteba family targeting Windows hosts and vulnerable MikroTik routers to miner Monero, steal credentials, and proxy malicious traffic. In addition to more traditional HTTP-based C2 communication, Glupteba can locate an updated C2 server name hidden inside Bitcoin OP_RETURN transactions sent by a hard-coded Bitcoin address. Normally this type of transactions is used to embed arbitrary binary data on the blockchain which also makes it a great place to embed C2 commands. Malware also uses a publicly available Electrum node list to communicate with the Bitcoin network.

    Indicators:

    C2 Bitcoin address (follow the tx chain):
    15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6

    C2 Hosts:
    5[.]9[.]157[.]50
    keepmusic[.]xyz
    playfire[.]online
    venoxcontrol[.]com
    okonewacon[.]com
    blackempirebuild[.]com
    bigtext[.]club
    clubhouse[.]site
    nxtfdata[.]xyz
    lienews[.]world
    phonemus[.]net
    takebad1[.]com

Research

  • Stop Using Solidity's transfer() Now - the article covers the security implications of the upcoming Istanbul hard fork and EIP 1884 related to transfer() and send() functions. The decrease in Gas cost of these instructions may be just enough to pay for a reentrant call in the future. The article outlines several safe patterns to defend against future instruct gas cost changes.

  • Using TensorFlow / machine learning for automated RF side-channel attack classification - a detailed research article into the machine learning and side-channel set up used to attack Ledger Blue hardware wallets.

  • QR Code Degenerators: Unmasking a Crypto Scam - a research into online QR generators found that 4 out of 5 top Google search results were scams which embedded malicious addresses instead of the intended ones.

    Indicators:

    Malicious QR Generators:
    hxxps://bitcoinqrcodegenerator[.]net/
    hxxps://btcfrog[.]com/
    hxxps://bitcoin-qr-code[.]net
    hxxps://mybitcoinqrcode[.]com/


    Scammer Bitcoin Addresses:
    17bCMmLmWayKGCH678cHQETJFjhBR44Hjx
    14ZGdFRaCN8wkNrHpiYLygipcLoGfvUAtg
    35mJx4EeEY7Lnkxvg1Swn1eSUN1TtQsQ3
    bc1qs4hcuqcv4e5lcd43f4jsvyx206nzkh4az05nds
    1KrHRyK9TKNU4eR5nhJdTV6rmBpmuU3dGw
    1Gg9VZe1E4XTLsmrTnB72QrsiHXKbcmBRX

  • Analysis of bouncing attack on FFG - details of the attack which may cause liveness failure on the upcoming in the Ethereum Casper FFG protocol. Also, check out the related Prevention of bouncing attack on FFG article with a proposed fix.

Stay safe and see you all in the next edition of blockchain threat intelligence newsletter?


Protect Your Crypto

Buy a hardware wallet:


Support the newsletter

BTC: 39M1VZxR2W4S3nQsj6RUmNbrdLkLT27U2k
ETH: 0x571B7313b36AF37E61359635157657DbAb6Ec240