The Orchard malware botnet has been observed abusing the account transaction information of Bitcoin’s founder, Satoshi Nakamoto, to develop domain generator algorithms (DGA) names that can hide its C2 infrastructure from security solutions.
According to researchers, the technique is more effective than other strategies since there is a lingering uncertainty connected to Bitcoin transactions. Hence, it is very challenging for security solutions to defend against the Orchard botnet.
February last year, Orchard botnet developed a three-transformation stage, with this version being the latest. Moreover, its operators adopted the DGA technology to install various malware strains on an infected device.
This new botnet also compromises USB storage devices to disseminate the malware aside from harvesting infected user and machine data. Now, over a couple of thousand hosts in China have been targeted by malware after recent research by a cybersecurity analyst.
The operators of the latest version of the Orchard botnet can also attack Monero.
Recent reports stated that the users of Orchard botnet’s latest version could deploy an XMRig mining program to mine Monero by abusing the compromised system’s resources. It also separates itself from its previous versions regarding how the DGA algorithm is utilised in the attacks.
Orchard’s first two variants heavily depended on date string to manifest domain names. At the same time, the newest version utilises balance information acquired from the Bitcoin wallet. The threat operators also use these wallets to create separate DGA domains.
Researchers have yet to uncover other details of the botnet. Hence, they expect its authors to likely deploy more attacks since they are not yet easily detected.
The appearance of this new Orchard botnet in the wild coincidentally happened after another IoT malware botnet called RapperBot targeted the Linux servers. Its attack against Bitcoin transaction information implies that there is a possibility of new stains appearing soon.
