Software developer, cyber security expert, and malware analyst, with more than a decade of experience in malware research, system protection, and threat prevention. Graduate of Check Point Security Academy, with a BSc (Computer Science and Mathematics) and M.B.A from Bar-Ilan university.
Malware writers are getting more creative on where to hide their C&C domains and IP addresses and how to dynamically generate them. We’ve witnessed unique places to hide a C&C domain, like in fake social media accounts and RSS feeds, but in this talk, I’ll review a new technique found inside the bitcoin blockchain.
While analyzing this method of attack we tried to understand why an attacker would even use the bitcoin blockchain as part of his infection chain? But since this platform is hard to trace, stable (there’s no downtime), visible from almost everywhere and easy to update, we realized this platform might be great for this kind of purpose.
I’ll show a well known technique that was already used in the bitcoin blockchain. This technique uses OP_RETURN output script function as the method for hiding C&C domain name. Then I’ll show a deep analysis of a new method we recently discovered that uses the transactions history to generate a dynamic C&C IP address.
Finally, I’ll demonstrate how we can reveal the C&C IP addresses from a specific bitcoin wallet, how to get the malicious payload from the C&C and how the attacker’s infrastructure can be easily destroyed by sending a single transaction to the attacker’s wallet.
Registration for workshop and for the conference itself is now open. The workshop has a limited number of tickets, so hurry and register if you want to guarantee yourself a spot. To reserve your ticket(s), click on that big red button.
Want to register using your favorite cryptocurrency? We’re on your side. Just click that button to email us to begin the process. We’ll get back with you pronto.
Want to sponsor Algorithm 2022 or have an exhibit space during the conference? Click that button to view the sponsorship prospectus.