[cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi

CODE BLUE 2022
What I Learned from the Direct
Confrontation with the Adversaries
who Hid C&C Server Information in
the Blockchain
Tsuyoshi Taniguchi
Fujitsu System Integration Laboratories LTD.
October 27, 2022
Copy right 2022 Fujitsu System Integration Laboratories Limited
1

DNS Abuse vs Blockchain Abuse
C&C server
C&C server
DNS
server
Blockchain
Detection of DNS abuse
Cyber Threat Intelligence, Passive
DNS, Active DNS, WHOIS history,
subdomain
CODE BLUE 2017 Day0
CODE BLUE 2018, 2020, 2021
Detection of blockchain abuse
Black Hat Asia 2021 Briefings
ACM ASIACCS 2021
International collaboration with Prof. Doerr
(Hasso Plattner Institute)
2

Tsuyoshi TANIGUCHI
⚫ Fujitsu System Integration Laboratories Researcher, Ph.D.
⚫Mar. 2008 - Hokkaido University Ph.D. (computer science)
⚫Apr. 2008 - Researcher, FUJITSU
⚫Apr. 2016 - Researcher, FUJITSU SYSTEM INTEGRATION LABORATORIES LTD
⚫Speaker
⚫ CODE BLUE 2017 Day0 Special Track Counter Cyber Crime Track
⚫ CODE BLUE 2018, 2020, 2021
⚫ Black Hat Asia 2021, ACM ASIACCS 2021
⚫ International collaboration with Prof. Doerr (Hasso Plattner Institute)
Please search ACM Tsuyoshi Taniguchi
-> The table of C&C server IP addresses (Table 5)
-> You can find malware samples from VirusTotal by searching the IP addresses
(There is a case where malware samples not related to this attack are found)
3

Timeline
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Fujitsu alone
Collaboration
start
International collaboration with HPI
4

Timeline
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Collaboration start
Fujitsu alone International collaboration with HPI
Takeover
led C&C communication
to our sinkhole server
Implementation of the
evasive mechanism within
around two weeks
5

Timeline
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal
Collaboration start
Takeover
Implementation of the
evasive mechanism
abandonment of the
attack infrastructure
Black Hat
Asia 2021
ASIACCS
2021
6

Today’s Presentation
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal Collaboration start
Takeover Implementation of the
evasive mechanism
abandonment of the
The essence in (pre-)analysis in order to succeed in taking over
For CODE BLUE
2022
7

Confrontation with the Adversaries who Hid
C&C Server Information in the Blockchain
1.
2.
3.
4.
5.
6.
8

Overview of Our System and Division of Roles
Defender
Bitcoin blockchain
Sinkhole
server
C&C server
Malware
(Pony)
Phishing
group
HPI: Analysis of
malware, sinkhole
server operation
Fujitsu:
Analysis of Bitcoin operation
Monitoring system
9

1. Ethical Considerations
2.
3.
4.
5.
6.
10

The Way of Hiding C&C Server Information
in the Blockchain
C&C server
142.93.0.206
In recent two transactions related to
a particular Bitcoin address
11

The Principle of Takeover
-> Success on Aug. 14, 2020
⚫To send Bitcoin hidden the IP address of our sinkhole server
to the Bitcoin address controlled by the adversaries
C&C
server
Ours
Ours
Sinkhole server
12

1. Ethical Considerations: Exfiltrated Files
Sinkhole
server
C&C server
⚫We must not download any exfiltrated files
Exfiltrated
files
13

Download DLL
Sinkhole
server
C&C server
14

Deletion of Malware Itself by Self Protection
Mechanism
Sinkhole
server
C&C server
⚫Extermination of the malware by our takeover
15

⚫Ethical considerations in cyber security
⚫Report to providers whose IP addresses abused by adversaries
⚫Report to software vendors whose products have vulnerabilities
⚫This case: exfiltrated files from infected clients
⚫If we download the exfiltrated files, we are colleagues of the
phishing group
⚫After takeover design, we had many considerations
⚫We realize both of disturbance of C&C communication and
extermination of malware
⚫Important point in order to protect ourselves from
ethical viewpoints
16

2. The Importance of Hypothesis Verification
3.
4.
5.
6.
17

Back to the Initial Stage of Monitoring from
the Highlight of International Collaboration
2019 2020 2021
10 11 12 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6
WS
Monitoring
start
Detection of
change of
Bitcoin
addresses
Collaboration
proposal Collaboration start
Takeover Implementation of the
evasive mechanism
abandonment of the
18

⚫A hypothesis verification in cyber security
⚫To anticipate vulnerabilities in an organization network, then verify the
ones by related tools
⚫To anticipate vulnerabilities of tools, then verify
⚫The hypothesis verification in this case
⚫Evasive behavior against our takeover
⚫Hypothesis: after identifying our takeover, the adversaries take an
evasive action
⚫Verification:
19

The First Stage of Bitcoin Operation
⚫Three types of Bitcoin addresses
⚫Sender: disposable addresses through Bitcoin exchange services
⚫IP signal: static addresses made by the adversaries
⚫Collector
Collector
Sender
IP signal
Sender
Sender
⋮
Sender
IP signal
20

Bitcoin Addresses for This Attack
⚫IP signal
⚫1BkeGqpo8M5KNVYXW3obmQt1R58zXAqLBQ: 1BkeG (Abbreviation)
⚫1CeLgFDu917tgtunhJZ6BA2YdR559Boy9Y: 1CeLg (Abbreviation)
⚫Collector
⚫1PFSS4kdTxvVhrti4fM3jK9FLhUt5zZf6i: 1PFSS (Abbreviation)
⚫Since transactions in the blockchain are open, you can verify
all transactions related to 1BkeG, 1CeLg, and 1PFSS
⚫Table1 in our ASIACCS paper
21

My Hypothesis in the First Stage of Monitoring
⚫If the adversaries change IP signal, then I can detect the
changed IP signal in the circulation of Bitcoin operation
IP signal 1
Sender A Sender B
C&C
server
IP signal 2
Sender X Sender Y
Collector
22

Bitcoin Operation: Nov. 15 to 30, 2019
1BkeG
1CeLg
1PFSS
Gephi: https://gephi.org/ 23

Bitcoin Operation: Dec. 1 to 10, 2019
1BkeG
1CeLg
• The adversaries changed
the IP signal from 1BkeG
to 1CeLg
• I confirmed malware
samples which
communicated with 1CeLg
24

Bitcoin Operation: Dec. 10 to 12, 2019
1BkeG
1CeLg
1N94r
1PFSS
19hi8
Collected Bitcoin from 1BkeG and 1CeLg to 1PFSS
-> moved Bitcoin from 1PFSS to 1N94r
-> sent Bitcoin from 1N94r to 1BkeG and 19hi8
25

Newly Added Bitcoin Addresses
⚫IP signal
⚫19hi8BJ7HxKK45aLVdMbzE6oTSW5mGYC82: 19hi8 (Abbreviation)
⚫Collector
⚫1N94rYBBCZSnLoK56omRkAPRFrpr5t8C1y: 1N94r (Abbreviation)
26

Bitcoin Operation in the Final Stage
⚫The functions of sender and collector were aggregated:
1N94r
⚫Back to 1BkeG from 1CeLg for IP signal
1N94r
1BkeG
19hi8
27

The Design Mistake for Hiding C&C IP
Addresses in the Blockchain
IP signal
Sender Our sender
Anybody could
send Bitcoin
hidden any IP
addresses
The adversaries
sent Bitcoin
hidden C&C IP
address
Malware did not
check where the
incoming Bitcoin
come from
28

Takeover Evasive Mechanism
IP signal
Sender
Implementation of the takeover evasive mechanism within around
two weeks
Our sender
Accessed transactions
related to the sender
We could send Bitcoin
29

Takeover Evasive Mechanism
⚫ https://blockchain.info/rawaddr/1BkeGqpo8M5KNVYXW3obmQt1
R58zXAqLBQ -> 1N94rYBBCZSnLoK56omRkAPRFrpr5t8C1y
1BkeG
1N94r
1BkeG
1N94r
1BkeG
1BkeG
Our sender
Our sender
1BkeG
1N94r
30

Against Takeover Evasive Mechanism
⚫ To send Bitcoin hidden our sinkhole server IP address to 1N94r
1BkeG
1N94r
1BkeG
1N94r
Our sender
Our sender
1N94r
1N94r
1N94r
31

Detection Evasion by Changing Bitcoin Address
IP signal
Sender
IP signal
Refuge
I detected IP signal change in
Dec. 2019
-> technically possible, but
the adversaries did not
change IP signal after evading
our takeover 32

⚫Hypothesis: detection evasion by changing IP signal
⚫Verification: the adversaries changed IP signal in Dec. 2019,
but did not change after evading our takeover
⚫Notice
⚫IP signal change: technically possible, much cost for synchronizing
malware implementation and changing Bitcoin addresses?
⚫In the process of the verification, I identified the issue from
adversary’s side
⚫The hypothesis verification process itself is important
33

3. Consciousness of the Relation Between the Cyberattacks
and the Worldwide Event
4.
5.
6.
34

C&C Server Update Time Change
Aug. 2019 May 2020
Aug. 2020
Jan. 2021
Mar. 2020
Daytime -> midnight (UTC)
Fee soar influenced by the
Bitcoin halving
Metabase: https://www.metabase.com/
35

3. Consciousness of the Relation Between
the Cyberattacks and the Worldwide Event
⚫C&C server update time (Bitcoin trade time) in May 2020
⚫Daytime -> midnight (UTC)
⚫After conducting in-depth analysis from various viewpoints, I found fee
soar
⚫Examination regarding fee setting
⚫I identified the Bitcoin halving
⚫May 11, 2020 (UTC): 630, 000 blocks
⚫Fees tend to be low during midnight since the number of trades
decrease
⚫It is important to broaden your horizons including the
relation between cyberattacks and worldwide events
36

3. Consciousness of the Relation Between the Cyberattacks and
the Worldwide Event
4. Adversary’s Intention Behind Tactics, Techniques, and
Procedures (TTPs) Evolution
5.
6.
37

4. Adversary’s Intention Behind TTPs Evolution
⚫Behind TTPs evolution
⚫To improve methods
⚫To cope with troubles
⚫Change of trading time in May 2020
⚫To save fees of transactions for miners for avoiding the influence by the
Bitcoin halving
⚫Change of the strategy of selecting blocks in Jul. 2020
⚫The second case study in our Black Hat Asia 2021 presentation
⚫To explore the way of controlling the order of confirmations of two
transactions
38

the Worldwide Event
5. Operational Error by the Adversaries
6.
39

Mistakenly Send Bitcoin
⚫ Three transactions: change of Bitcoin addresses in Dec. 2019 (test?)
⚫ Others: mistakenly send Bitcoin
1BkeG
Date Bitcoin IP Octet
5:33:19, Dec. 11, 2019 31,683 195.123
8:39:45, Jul. 24, 2020 10,818 66.42
19hi8
5:22:28, Dec. 11, 2019 31,683 195.123
9:39:13, Apr. 22, 2020 15,573 213.60
3:11:43, Jul. 22, 2020 27,052 172.105
1CeLg
12:9:19, Dec. 10, 2019 19,508 52.76
Test?
Test?
Test?
40

Mistakenly Send Bitcoin
2020/7/24 5:46 31,366 Satoshi -> 134.122
2020/7/24 5:55 64,792 Satoshi -> 24.253
2020/7/24 8:39 10,818 Satoshi -> 66.42
2020/7/24 8:58 31,366 Satoshi -> 134.122
2020/7/24 9:02 64,792 Satoshi -> 24.253
134.122.24.253
-> Samples in
VirusTotal
66.42.134.122
-> No samples
⚫ Adversary’s side: no influence
⚫Soon after mistakenly sending Bitcoin, they sent correct two transactions again
⚫ Defender’s side: big influence
⚫When I traced back through the transactions, these wrong transactions were
no pair of any transactions
41

the Worldwide Event
6. Long Term Data Collection
42

⚫C&C IP address update: around 200 times from Sep. 2019 to
Aug. 2020
⚫My data collection: from Sep. 2019 to Jan. 2021
⚫Design of the data collection
⚫Consideration of the limit of the number of transactions by blockchain
API
⚫Ex. 50 transactions
⚫Dealing with wrong transactions
⚫My implementation: skip reading wrong transactions
43

the Worldwide Event
44

3. Consciousness of the Relation Between
the Cyberattacks and the Worldwide Event
IP signal
Sender
1,000,000 Satoshi 100,000 Satoshi
Sender
870,000 Satoshi
Fee
30,000 Satoshi -> 60,000 Satoshi
Fee soar influenced by
the Bitcoin halving
30,000 Satoshi: around $3 (as of Aug. 2020, 1BTC = $10,000)
-> around $18 (as of Mar. 2021, 1BTC = $60,000)
Bitcoin soar
-> abandonment of the attack infrastructure
970,000 Satoshi
45

Thank you

[cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a [cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi

Semelhante a [cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi (20)

Mais de CODE BLUE

Mais de CODE BLUE (20)

Último

Último (20)

[cb22] What I learned from the direct confrontation with the adversaries who hid C&C server information in the blockchain en by Tsuyoshi Taniguchi