Ethereum Threat Actors Part 1 — DotNet Downloader using Ethereum Transactions for C&C updates.

Executive Summary

As part of our research into how cybercrime actors using the Ethereum blockchain for fraudulent means, we analyzed a DotNet downloader that retrieves the malicious payload from URLs stored inside Ethereum transactions. We analyzed the sample provided by a German Security Researcher, Karsten Hahn @struppigel in this tweet.

Image 1: Tweet of Karsten Hahn about the downloader

Downloader analysis

This binary is a simple DotNet downloader, so we used ILSpy, an open-source .NET assembly decompiler in association of QuoLab, our collaborative and decentralized analysis platform to perform our research.

Downloader information:

The downloader is composed of four functions exhibiting different behaviors:

  • ConvertHex: Convert a Hexadecimal string to plaintext string.
  • GetAdditionalDataFromTransaction: Return JSON transaction ‘script’ field for a given TransactionID.
  • GetLastTransactionHashFromAddress: Return last TransactionID for a given Ethereum Address.
  • Main: Download, store and run the malicious payload retrieved from the URL stored on the Ethereum Blockchain.
Image 2: List of functions decompiled by ILSpy

Main Function

Image 3: Main source code decompiled by ILSpy

The main function first reads the text content from “update.txt” if the file exist.

Then, the function GetLastTransactionHashFromAddress is called with the hardcoded value “41AFf7B3a85fD4248C7BC7bE989ce968494170de” that correspond to an Ethereum address.

If the last transaction of this address is considered as valid for the binary, the function GetAdditionalDataFromTransaction is called and the malicious URL is extracted from the transaction data.

The malware checks if it needs to be updated by comparing the URL to the “update.txt” file content. The binary verifies its persistence by checking that the file “msan32.exe” is still stored on the system.

If there is an update, or if the malware is not persistent anymore, the following operations are executed:

  • Cleaning: Kill every process related to ‘msan32’.
  • Persistence: Download the malicious payload and store it as ‘msan32.exe’.
  • Persistence: Save the URL to this malicious payload inside ‘update.txt’.
  • Infection: Execute the malicious ‘msan32.exe’ as a new process.

GetLastTransactionHashFromAddress function

Image 4: GetLastTransactionHashFromAddress source code decompiled by ILSpy

This function used the public Ethereum API of “blockcypher.com” in order to get the last Transaction ID related of the hardcoded Ethereum address (0x41AFf7B3a85fD4248C7BC7bE989ce968494170de).

A smart move from the author was to verify the value of the “tx_output_n” field in the API request response. The blockcypher API used this field to identify if the address is the sender or the receiver of the transaction. By checking this value, the author only cares about the transaction with 0x41AFf7B3a85fD4248C7BC7bE989ce968494170de as the sender because that prevents his botnet from being hijacked by someone else initiating a transaction to his address.

GetAdditionalDataFromTransaction function

Image 5: GetAdditionalDataFromTransaction source code decompiled by ILSpy

The “blockcypher.com” Ethereum API is used again to retrieve the transaction information and the malicious URL is extracted from the JSON “script” field.

Usually, the content of the ‘script’ field will be empty for a transaction between two EoA (Externally Owned Account i.e. controlled by a public/private keypair). However, Ethereum allows users to use this field to send arbitrary data to another account.
In case of a transaction between an Ethereum account (EoA or Smart Contract) that interacts with a Smart Contract, the ‘script’ field (input payload) will be composed with a four bytes function signature followed by the arguments of the function.

If you want to learn more about smart contract analysis, you will find our conference slides about this subject in our media center.

Transaction analysis

At time of analysis (01/08/2019), only one transaction is associated to the address 0x41AFf7B3a85fD4248C7BC7bE989ce968494170de.

Image 6: Transactions associated to 0x41AFf7B3a85fD4248C7BC7bE989ce968494170de in etherscan.io

This transaction on 21 August 2018 (05:27:42+UTC) is a transfer of USD 4.05 from one of the HitBTC exchange addresses to the malware address. We can assume that the malware author has a HitBTC account and that this cryptocurrency exchange knows his (potentially fake) identity. This transaction is surely a refill transaction allowing the malware author to have some funds to send his update URLS.

Image 7: Refill transaction in etherscan.io

There is no transaction with 0x41AFf7B3a85fD4248C7BC7bE989ce968494170de as a sender, meaning that if someone is already infected by this downloader, no active malicious payload have been downloaded and executed on the affected system by this malware.

C&C Update Pricing

Sending arbitrary data is not difficult, and requires just one line of code if you use the Ethereum JavaScript API, web3js.
As an example, if we take this unrelated transaction to calculate the price per C2 command:

  • ‘Script’ field content: 0x68747470733a2f2f7777772e6662692e676f76.
  • URL string: ‘https://www.fbi.gov'.
  • Length string: 19.
  • Fee for this transaction: USD 0.003405.

This translates to around USD 0.00018 per character (i.e. USD 0.05 cents for a message at the length of tweet), which is a low price for changing persistent C2 URL.
Of course, it is interesting to monitor this address and download the malicious payload available at the URL, if future transactions occur.

HINTS:

If you want to analyze all the previous Ethereum transactions with values in the ‘script’ field, you will retrieve every call to a Smart Contracts (i.e. millions of results). 
But, If you are only looking to view ‘script’ fields containing a specific pattern, you can use Google BigQuery and search, in our case, for every transaction starting with 0x68747470 (‘http’ in hexadecimal).

Image 8: BigQuery results with transaction input field starting with 0x68747470

Blockcypher service

It is not the first time we saw the blockcypher API being used in malware. Some versions (>=4.1.0) of the Cerber ransomware have used it to retrieve transactions associated to bitcoin addresses (over HTTP request to http://api.blockcypher.com/v1/btc/main/addrs/BITCOIN_ADDRESS).

Image 9: Blockcypher API correlation shown by QuoLab

As this service does not require any API key, it is potentially why malware authors use it in the first place.

Future of Ethereum botnet

The usage of Ethereum for malware authors will surely be more common in the future, mainly because public blockchain provides a lot of security advantages for them:

  • Ethereum blockchain is public and immutable, meaning that information (transactions or Smart Contracts) cannot be removed by law enforcement.
  • Access to their C&C is secured due to the security behind Ethereum authentication (public/private key pair).
  • Selling C&C control access can be achieved simply be changing the ownership of a Smart Contract.

To help combat this threat or monitor malicious transaction history, Threat Intel teams can obtain transaction history of actors. Additionally, law enforcement can potentially identify actors behind the botnet more easily if they request identity information to cryptocurrency exchanges (like HitBTC in this case) and shutdown botnets with access to the C&C account private key (Ethereum private key).

Other researchers also show that it is also possible to use Smart Contracts for botnet control. You can find more information using the following resources:

Additionally, you can check out our open source tool Octopus to analyze Ethereum transaction and reverse Ethereum Smart Contracts. Moreover, please also find our conference presentations about this subject in our QuoScient media center.

Conclusion

We are grateful to Karsten Hahn (@struppigel) for highlight this binary, so that we could have a closer look at the mechanisms of malware authors using Ethereum transactions. Having outlined the most important findings above, we would like to take the chance to make some precisions regarding his original tweet:

  • The downloader only uses Ethereum transaction to extract an URL.
  • The downloader will download the malicious malware payload from this URL.
  • The “script” field containing the URL is not custom, it’s standard in Ethereum but unusual for transaction between two EoA accounts.

We hope that our analysis has provided more insight and is helpful in spreading the word about this attack vector. We are happy if we have contributed to make the world more digitally secure as our Digital Active Defense vision guides us to do so.

Many thanks and I am happy to keep in touch on this subject.

Patrick Ventuzelo, Security Researcher at Quoscient

Indicators of Compromise

DotNet downloader:
SHA-256: 2ae7e6d0c8b9c8b86affaf5ee9752761a4cbff3f418a81fe74f9425b9387d4c0

URLS:
https://api.blockcypher[.]com/v1/eth/main/txs/
https://api.blockcypher[.]com/v1/eth/main/addrs/

Ethereum address:
0x41AFf7B3a85fD4248C7BC7bE989ce968494170de

Cerber binaries:
SHA-256:

  • 56f41afc8f025597659f11f59b191e66bd6c6525313cf3c0356c40490722b7c5
  • e58185d68dcfb67996c8443aafd932c9e6925f8fbfca5e2ad535ebb75a4ca8be
  • 39f50b02efde61f49cabbe47a68d483d39e95b307aad7b059b9e479558e171ed
  • c04dc76f66029ed71d0c5ff524585264b9e171d25222c06b79bb1c98779f6f6e
  • 6df046b6e9c28b527d7e19733915371b1c058124fd4ad2dbeee8174f8c95224a
  • 20979dde8617b27344bccfb4e6c6413b6abf5f045a09e00fa2ea6b64c9b19f1b
  • e7f7e16f31471604a479316aec38cfe9ea6596a4b8ce680296e053fa9b0e2e24
  • 22fd59f3e7f2b3c790b1cd19d99df5c42a6a923e25fca197aa148bb53af03bb5
  • 8255164b5f8da63db12fa1a7fefc7fdb3eac1f440931ee157f9956a1395ca16f
  • 57c81e6cb3d92acfc7870ef9713eafac924f9cc4adf605d5e1a50e06b3f3adc9
  • 8d4cd71eb1fb43452bc8efc1a5a778c088a2b6602452266e82acb948514e4076
  • bc7164621a64144d01d4ab488185c5d3730c540603a9deaa1f29488b518abbe1
  • 19a18990c26f0600f1937676672040efa8184fd4247b583c497655d4b4ff7257
  • ed63a9cd537df84178559086eae92ab46eed063739715070e6329e9430f36bd4
  • ae7d4f8198e39d05390f7c1c3b3c626bc99d571abd00aac21ce2119e1e1fd602
  • d79b8397885d3994929967bfb0f8f6ca2c2bf0b52cb7dd45fb9a9731e4edc2fb

URLS:
http://api.blockcypher[.]com/v1/btc/main/addrs/
http://api.blockcypher[.]com/v1/btc/main/txs/

Bitcoin addresses:
17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt
1HTDy9SkfhwaNCXFA8wFCvN53f3iGpm8kb
1ML94w1SCudkiFHaEwYqTmKGTkywxVBuZg