Introduction

Cyber criminals have always been attracted to cryptocurrencies because it provides a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a payment method for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity and subsequent rising price of cryptocurrencies by conducting various operations aimed at them, such as malicious cryptocurrency mining, collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

Coinciding with the rising interest in stealing cryptocurrencies, distributed ledger technology (DLT), the technology that underpins cryptocurrencies, has also provided cyber criminals with a unique means of hosting their malicious content. This blog covers the growing trend of cyber criminals using blockchain domains for malicious infrastructure.

Blockchain Infrastructure Use

Traditionally, cyber criminals have used various methods to obfuscate malicious infrastructure that they use to host additional payloads, store stolen data, and/or function as command and control (C2) servers. Traditional methods include using bulletproof hosting, fast-flux, Tor infrastructure, and/or domain generation algorithms (DGAs) to help obfuscate the malicious infrastructure. While we expect cyber criminals to continue to use these techniques for the foreseeable future, another trend is emerging: the use of blockchain infrastructure.

Underground Interest in Blockchain Infrastructure

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency infrastructure-related topics dating back to at least 2009 within underground communities. While searches for certain keywords fail to provide context, the frequency of specific words, such as blockchain, Namecoin, and .bit, show a sharp increase in conversations surrounding these topics beginning in 2015 (Figure 1).

[出自:jiwo.org]
Figure 1: Underground keyword mentions

Namecoin Domains

Namecoin is a cryptocurrency based on the Bitcoin code that is used to register and manage domain names with the top-level domain (TLD) .bit. Everyone who registers a Namecoin domain is essentially their own domain registrar; however, domain registration is not associated with an individual's name or address. Rather, domain ownership is based on the unique encrypted hash of each user. This essentially creates the same anonymous system as Bitcoin for internet infrastructure, in which users are only known through their cryptographic identity. Figure 2 illustrates the Namecoin domain name generation process.

Figure 2: Namecoin domain creation process

As Namecoin is decentralized, with no central authority managing the network, domains registered with Namecoin are resistant to being hijacked or shut down. These factors, coupled with the comparative anonymity, make Namecoin an increasingly attractive option for cyber criminals in need of supporting infrastructure for their malicious operations.

Navigating to Namecoin Domains

Domains registered with Namecoin use the TLD .bit, and are not managed by standard DNS providers. Consequently, a client will be unable to establish a connection to these blockchain domains unless additional configurations are made. According to the Namecoin wiki, individuals can take one of the steps shown in Figure 3 to browse .bit domains.

Figure 3: Options for navigating to Namecoin domains outlined on Namecoin wiki

These options are not ideal for cyber criminals, as downloading the entire blockchain onto an infected host would require significant space and bandwidth, and routing their malicious traffic through an unknown third party could result in their traffic being blocked by the resolver. As a result, many have configured their malware to query their own privately managed Namecoin-compatible OpenNIC DNS (Figure 4), or to query other compatible servers they've purchased through underground infrastructure offerings. Bulletproof hosting providers, such as Group 4, have capitalized on the increased demand for .bit domains by adding support to allow malicious actors to query compatible servers.

Figure 4: Blockchain domain support advertised on OpenNIC website

Underground Advertisements for Namecoin Support

The following underground advertisements relating to the use of .bit domains have been observed by researchers over the past several years. These posts range from actors offering .bit compatible modules or configuration updates for popular banking Trojans to .bit infrastructure offerings.

Sample Advertisement #1

Figure 5 shows an advertisement, observed in late 2015, posted by the actor "wachdog" in a popular Russian-speaking marketplace. The actor advertised a small utility (10 KB in size) that is compatible with both Windows and Android operating systems, and would allow for the communication to and from .bit domains.

Advertisement Translated Text: The code is written in C+ for WinAPI or Java for Android. It can be used for small stealth applications to access .bit domains. The registration of new domain costs 0.02 NMC, update of a record - 0.005 NMC. So, the price for domain registration and update will be approximately 0.0072$ and 0.0018$. The code works in all Windows starting from XP, it doesn't require additional libraries, admin privileges, it doesn't download a lot of data. The size of compiled code is 10 KB. It's easy to write it in asm, paskal, c#, java etc. It also works for Android (all versions). You should download the Namecoin wallet, credit it with the minimum amount of NMC and register your own domain using the wallet. IP of C&C can be linked to the domain also using the wallet (one of many, everything works as for normal DNS). Create a build of your software locked to .bit domain. In case the IP of your server is listed, just change the DNS record and assign your domain a new IP for just for 0.005 NMC. No need in new rebuild or registration of new domains. .bit domain cannot be taken, botnet cannot be stolen. Price: Technology + code in C: $300 USD Technology + code in C + code in Java for Android: $400 USD Payment methods: BTC, PerfectMoney

Figure 5: Actor "wachdog" advertises utility to connect to .bit domains in late 2015

Sample Advertisement #2

In late 2017, actor "Discomrade" advertised a new HTTP distributed denial of service (DDoS) malware named "Coala" on a prominent Russian-language underground forum (Figure 6). According to the advertisement, Coala focuses on L7 (HTTP) attacks and can overcome Cloudflare, OVH, and BlazingFast DDoS protections. The original posting stated that the actor was working on adding support for .bit domains, and later updated the forum post to specify that Coala was able to support .bit domain communications.

Advertisement Translated Text: Coala - Http DDoS Bot, .net 2.0, bypass cloudflare/ovh/blazi... The sale resumed. I changed my decision to rewrite the bot from the scratch on native language. I'm looking forward to hearing any ideas / comments/ questions you have about improving this DDoS bot. I updated and enhanced the bot using your previous comments and requests (changed communication model between server and bot, etc) I added the following features/options/abilities: - to customize the HTTP-headers (user-agent, cookie, referrer) - to set task limits - to count the number of bots used for particular task - to read the answer from a server - to use async sockets - to set the number of sockets per timeout - to set the number of HTTP-requests per socket - to set custom waiting time - to set an attack restart periods - to count the requests per second for particular task I removed the feature related to DDoS attacks against TOR sites because of its improper functioning and AV detects. Currently I am working on .bit domains support. The price: $400

Figure 6: Discomrade advertising Coala DDoS malware support for .bit domains

Sample Advertisement #3

The AZORult malware, which was discovered in mid-2016, is offered in underground marketplaces by the actor "CrydBrox." In early 2017, CrydBrox offered an updated variant of the AZORult malware that included .bit support (Figure 7).

Advertisement Translated Text:  AZORult V2 [+] added .bit domains support [+] added CC stealing feature (for Chrome-based browsers) [+] added passwords grabbing from FTP-client WinSCP [+] added passwords grabbing from Outlook (up to the last version) [+] fixed passwords grabbing from Firefox and Thunderbird [+] added the feature to examine what privileges were used to run stealer [+] provided encrypted communication between management panel and the stealer [+] added AntiVirtualMachine, AntiSandbox, AntiDebug techniques [+] fixed logs collection feature (excluded info about file operations) [+] accelerated the work of stealer process [+] removed .tls section from binary file [+] added ability to search logs by cookies content (in management panel) [+] added the view of the numbers of passwords/CC/CoinsWallet and files in logs to management panel [+] added the commenting feature to logs [+] added viewing of the stats by country, architecture, system version, privileges, collected passwords [+] added new filters and improved of old filters There are 4 variants of the stealer: AU2_EXE.exe - run and send the report AU2_EXEsd.exe - run, send the report and remove itself AU2_DLL.dll - collect info after the load into the process, send data and return the control to the process AU2_DLLT.dll - after the loading of the DLL into the process it creates the separate thread for stealer work *DLL versions successfully work with all popular bots. The size – 495 KB, packed with UPX – 220 KB The prices: 1 build - $100 rebuild - $30

Figure 7: CrydBrox advertising AZORult support for .bit domains

Namecoin Usage Analysis

Coinciding with malicious actors' increasing interest in using .bit domains is a growing number of malware families that are being configured to use them. Malware families that we have observed using Namecoin domains as part of their C2 infrastructure include:

• Necurs
• AZORult
• Neutrino (aka Kasidet, MWZLesson)
• Corebot
• SNATCH
• Coala DDoS
• CHESSYLITE
• Emotet
• Terdot
• Gandcrab Ransomware
• SmokeLoader (aka Dofoil)

Based on our analysis of samples configured to used .bit, the following methods are commonly used by malware families to connect to these domains:

• Query hard-coded OpenNIC IP address(es)
• Query hard-coded DNS server(s)

AZORult

The AZORult sample (MD5: 3a3f739fceeedc38544f2c4b699674c5) was configured to support the use of .bit communications, although it did not connect to a Namecoin domain during analysis. The sample first checks if the command and control (C2) domain contains the string ".bit" and, if so, the malware will query the following hard-coded OpenNIC IP addresses to try to resolve the domain (Figure 8 and Figure 9):

• 89.18.27.34
• 87.98.175.85
• 185.121.177.53
• 193.183.98.154
• 185.121.177.177
• 5.9.49.12
• 62.113.203.99
• 130.255.73.90
• 5.135.183.146
• 188.165.200.156

Figure 8: Hard-coded OpenNIC IP addresses - AZORult

Figure 9: AZORult code for resolving C&C domains

CHESSYLITE

The analyzed CHESSYLITE sample (MD5: ECEA3030CCE05B23301B3F2DE2680ABD) contains the following hard-coded .bit domains:

• Leomoon[.]bit
• lookstat[.]bit
• sysmonitor[.]bit
• volstat[.]bit
• xoonday[.]bit

The malware attempts to resolve those domains by querying the following list of hard-coded OpenNIC IP addresses:

• 69.164.196.21
• 107.150.40.234
• 89.18.27.34
• 193.183.98.154
• 185.97.7.7
• 162.211.64.20
• 217.12.210.54
• 51.255.167.0
• 91.121.155.13
• 87.98.175.85

Once the .bit domain has been resolved, the malware will issue an encoded beacon to the server (Figure 10).

Figure 10: CHESSYLITE sample connecting to xoonday.bit and issuing beacon

Neutrino (aka Kasidet, MWZLesson)

The analyzed Neutrino sample (MD5: C102389F7A4121B09C9ACDB0155B8F70) contains the following hard-coded Namecoin C2 domain:

• brownsloboz[.]bit

Instead of using hard-coded OpenNIC IP addresses to resolve its C2 domain, the sample issues DnsQuery_AAPI calls to the following DNS servers:

• 8.8.8.8
• sourpuss.[]net
• ns1.opennameserver[.]org
• freya.stelas[.]de
• ns.dotbit[.]me
• ns1.moderntld[.]com
• ns1.rodgerbruce[.]com
• ns14.ns.ph2network[.]org
• newton.bambusoft[.]mx
• secondary.server.edv-froehlich[.]de
• philipostendorf[.]de
• a.dnspod[.]com
• b.dnspod[.]com
• c.dnspod[.]com

The malware is configured to run through the list in the aforementioned order. Hence, if a DnsQuery_A call to 8.8.8.8 fails, the malware will try sourpuss[.]net, and so on (Figure 11). Through network emulation techniques, we simulated a resolved connection in order to observe the sample's behavior with the .bit domain.

Figure 11: Modified 8.8.8.8 to 8.8.8.5 to force query failure

Monero Miner

The analyzed Monero cryptocurrency miner (MD5: FA1937B188CBB7fD371984010564DB6E) revealed the use of .bit for initial beacon communications. This miner uses the DnsQuery_A API call and connects to the OpenNIC IP address 185.121.177.177 to resolve the domain flashupd[.]bit (Figure 12 and Figure 13).

Figure 12: Code snippet for resolving the .bit domain

Figure 13: DNS request to OpenNIC IP 185.121.177.177

Terdot (aka ZLoader, DELoader)

The analyzed Terdot sample (MD5: 347c574f7d07998e321f3d35a533bd99) includes the ability to communicate with .bit domains, seemingly to download additional payloads. It attempts resolution by querying the following list of OpenNIC and public DNS IP addresses:

• 185.121.177.53
• 185.121.177.177
• 45.63.25.55
• 111.67.16.202
• 142.4.204.111
• 142.4.205.47
• 31.3.135.232
• 62.113.203.55
• 37.228.151.133
• 144.76.133.38

This sample iterates through the hard-coded IPs in attempts to access the domain cyber7[.]bit (Figure 14). If the domain resolves, it will connect to https://cyber7[.]bit/blog/ajax.php to download data that is RC4 encrypted and expected to contain a PE file.

Figure 14: DNS requests for cyber7.bit domain

Gandcrab Ransomware

The analyzed Gandcrab ransomware sample (MD5: 9abe40bc867d1094c7c0551ab0a28210) also revealed the use of .bit domains. Unlike previously mentioned families, it spawns a new nslookup process via an anonymous pipe to resolve the following blockchain domains:

• Bleepingcomputer[.]bit
• Nomoreransom[.]bit
• esetnod32[.]bit
• emsisoft[.]bit
• gandcrab[.]bit

The spawned nslookup process contains the following command (as seen in Figure 15):

• nslookup <domain>  a.dnspod.com

Figure 15: GandCrab nslookup process creation and command

Common OpenNIC IPs

While analyzing these malware samples, FireEye researchers discovered a privately managed OpenNIC DNS server commonly used across multiple families (Table 1). This likely indicates the use of a shared infrastructure service that supports .bit communications.

Terdot	Monero Miner	CHESSYLITE	AZORult
185.121.177.53 185.121.177.177 45.63.25.55 111.67.16.202 142.4.204.111 142.4.205.47 31.3.135.232 62.113.203.55 37.228.151.133 144.76.133.38	185.121.177.177	69.164.196.21 107.150.40.234 89.18.27.34 193.183.98.154 185.97.7.7 162.211.64.20 217.12.210.54 51.255.167.0 91.121.155.13 87.98.175.85	89.18.27.34 87.98.175.85 185.121.177.53 193.183.98.154 185.121.177.177 5.9.49.12 62.113.203.99 130.255.73.90 5.135.183.146 188.165.200.156

Table 1: Hard-coded DNS IP addresses used in various malware families

Domain intelligence gathered on the IP 185.121.177.177, at the time of analysis, revealed the following registration details (Table 2 and Figure 16):

IP Location	Antarctica Zappie Host Llc
ASN	AS204136 FUSLVZ-LTD-AS, AT (registered May 06, 2016)
Resolve Host	anyone.dnsrec.meo.ws
Provider	FuslVZ Ltd.
IP Range	185.121.177.0/24

Table 2: IP registration details

Figure 16: Registration details for IP 185.121.177.177 (DomainTools)

Emercoin Domains

FireEye iSIGHT Intelligence researchers have identified other blockchain domains being used by cyber criminals, including Emercoin domains .bazar and .coin. Similar to the Namecoin TLD, all records are completely decentralized, un-censorable, and cannot be altered, revoked, or suspended.

Navigating to Emercoin Domains

Emercoin also maintains a peering agreement with OpenNIC, meaning domains registered with the Emercoin's EMCDNS service are accessible to all users of OpenNIC DNS servers. Current root zones supported by EMCDNS are shown in Table 3.

Zone	Intended Purpose
.coin	digital currency and commerce websites
.emc	websites associated with the Emercoin project
.lib	from the words Library and Liberty - that is, knowledge and freedom
.bazar	marketplace

Table 3: Emercoin-supported DNS zones (Emercoin Wiki)

Users also have the option of installing compatible browser plugins that will navigate to Emercoin domains, or routing their traffic through emergate[.]net, which is a gateway maintained by the Emercoin developers.

Emercoin Domain Usage

FireEye iSIGHT Intelligence has observed eCrime actors using Emercoin domains for malicious infrastructure, albeit to a lesser extent. Examples of these operations include:

• Operators of Joker's Stash, a prolific and well-known card data shop, frequently change the site's URL. Recently, they opted for using a blockchain domain (jstash[.]bazar) instead of Tor, ostensibly for greater operational security.
• Similarly, the following card shops have also moved to .bazar domains:
  • buybest[.]bazar
  • FRESHSTUFF[.]bazar
  • swipe[.]bazar
  • goodshop[.]bazar
  • easydeals[.]bazar
• In addition to the hard-coded Namecoin domain, the aforementioned Neutrino sample also contained several hard-coded Emercoin domains:
  • http://brownsloboz[.]bazar
  • http://brownsloboz[.]lib
  • http://brownsloboz[.]emc
• FireEye iSIGHT Intelligence identified a Gandcrab ransomware sample (MD5: a0259e95e9b3fd7f787134ab2f31ad3c) that leveraged the Emercoin TLD .coin for its C2 communications (Figure 17 and Figure 18).

Figure 17: DNS query for nomoreransom[.]coin

Figure 18: Gandcrab POST request to nomoreransom[.]coin

Outlook

While traditional methods of infrastructure obfuscation such as Tor, bulletproof, and fast-flux hosting will most likely continue for the foreseeable future, we assess that the usage of blockchain domains for malicious infrastructure will continue to gain popularity and usage among cyber criminals worldwide. Coinciding with the expected increase in demand, there will likely be an increasing number of malicious infrastructure offerings within the underground communities that support blockchain domains.

Due to the decentralized and replicated nature of a blockchain, law enforcement takedowns of a malicious domain would likely require that the entire blockchain be shut down – something that is unfeasible to do as many legitimate services run on these blockchains. If law enforcement agencies can identify the individual(s) managing specific malicious blockchain domains, the potential for these takedowns could occur; however, the likelihood for this to happen is heavily reliant on the operational security level maintained by the eCrime actors. Further, as cyber criminals continue to develop methods of infrastructure obfuscation and protection, blockchain domain takedowns will continue to prove difficult.