Orchard botnet uses Bitcoin transaction information to generate DGASecurity Affairs domains

Experts have spotted a new botnet named Orchard using Bitcoin creator Satoshi Nakamoto’s account information to spawn malicious domains.

360 Netlab researchers recently discovered a new botnet named Orchard that uses transaction information from Satoshi Nakamoto’s Bitcoin account (1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa) to generate the DGA domain name.

“Another change concerns the use of the DGA algorithm used in the attacks. While the first two variants rely exclusively on date strings to generate domain names, the new version uses balance information obtained from the cryptocurrency wallet address “1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa” reads the analysis published by the researchers. occurred on January 3, 2009 and is believed to be owned by Nakamoto.”

“Over the last decade or so, small amounts of bitcoins have been transferred to this wallet daily for various reasons, so it is variable and this change is difficult to predict, so the balance information for this wallet may also be used as DGA Contribution,” the researchers added.

According to the researchers, this technique is more unpredictable than using time-generated DGAs due to the uncertainty of Bitcoin transactions.

Due to the uncertainty of Bitcoin transactions, this technique is more unpredictable than using time-generated DGAs, and therefore harder to defend against.

The researchers discovered three versions of this botnet since February 2021, they also noticed that its operators changed their programming language during the same period.

The bot allows operators to deploy additional malware to the infected machine and execute commands received from the C2 server.

The Orchard botnet uses a redundant C2 mechanism of “hard-coded domain + DGA”, experts have discovered that each version includes a unique hard-coded DuckDNS dynamic domain name as C2.

All versions analyzed by expert builds support spreading by infecting USB drives, anyway experts believe that Orchard can spread in other ways.

All three versions of Orchard essentially support the same features, including:

  • Download device and user information
  • Respond to commands/download to run the next step of the module
  • Infect USB storage devices

Netlab researchers reported that v1 and v2 have already infected thousands of machines, while v3 is made up of smaller systems due to its late appearance.

Version 3 supports features to launch XMRig Monero mining software.

“Orchard is a family of botnets that uses DGA technology. The latest version is dedicated to mining and has started using more unpredictable information like transaction information from bitcoin accounts as input for DGA, which makes detection more difficult. In more than a year, Orchard has appeared in 3 different versions with changes in programming language and DGA implementation, indicating that Orchard is a family of botnets that is still active and deserves our vigilance. concludes the report. “We expect other variants to emerge eventually, for which we will continue to monitor, and continue to disclose new findings.”

It should be noted that the wallet address is the receiving address for the Bitcoin Genesis block miner reward, which took place on January 3, 2009 and is believed to be owned by Nakamoto.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, domain name system)

Previous Sample Financial Hardship Letter | Accelerate lending
Next JCPS adds new website feature for tracking bus delays