Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware

Stijn Pletinckx; Cyril Trap; Christian Doerr

doi:10.1109/CNS.2018.8433199

Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware

Stijn Pletinckx, Cyril Trap, Christian Doerr

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

29 Citations (Scopus)

Abstract

In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. Domain generation algorithms (DGA) generate a list of candidate domain names, each valid for only a short time, at which the malware installation searches for its command & control (C&C) server. As DGAs generate a large list of potential domains - out of which one or a few is actually in use -, they leave a characteristic trace of many failed DNS lookups (NXDomain) in the network, and in result most DGAs can be efficiently detected. In this paper we describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in realtime, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses. We describe the concept of coordination via the blockchain, and report results on a year-long observation of the assets used in the Cerber campaign.

Original language	English
Title of host publication	2018 IEEE Conference on Communications and Network Security (CNS)
Place of Publication	Piscataway, NJ
Publisher	IEEE
Pages	1-9
Number of pages	9
ISBN (Electronic)	978-1-5386-4586-4
ISBN (Print)	978-1-5386-4587-1
DOIs	https://doi.org/10.1109/CNS.2018.8433199
Publication status	Published - 28 May 2018
Event	2018 IEEE Conference on Communications and Network Security - Beijing, China Duration: 30 May 2018 → 1 Jun 2018

Conference

Conference	2018 IEEE Conference on Communications and Network Security
Country/Territory	China
City	Beijing
Period	30/05/18 → 1/06/18

Keywords

threat intelligence
blockchain
ransomware
C&C
domain-generation-algorithm
campaign analysis

Access to Document

10.1109/CNS.2018.8433199

Cite this

@inproceedings{6ff4dc2a2b1846e69cde343cf3d74531,

title = "Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware",

abstract = "In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. Domain generation algorithms (DGA) generate a list of candidate domain names, each valid for only a short time, at which the malware installation searches for its command & control (C&C) server. As DGAs generate a large list of potential domains - out of which one or a few is actually in use -, they leave a characteristic trace of many failed DNS lookups (NXDomain) in the network, and in result most DGAs can be efficiently detected. In this paper we describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in realtime, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses. We describe the concept of coordination via the blockchain, and report results on a year-long observation of the assets used in the Cerber campaign.",

keywords = "threat intelligence, blockchain, ransomware, C&C, domain-generation-algorithm, campaign analysis",

author = "Stijn Pletinckx and Cyril Trap and Christian Doerr",

year = "2018",

month = may,

day = "28",

doi = "10.1109/CNS.2018.8433199",

language = "English",

isbn = "978-1-5386-4587-1",

pages = "1--9",

booktitle = "2018 IEEE Conference on Communications and Network Security (CNS)",

publisher = "IEEE",

address = "United States",

note = "2018 IEEE Conference on Communications and Network Security ; Conference date: 30-05-2018 Through 01-06-2018",

}

TY - GEN

T1 - Malware Coordination using the Blockchain

T2 - 2018 IEEE Conference on Communications and Network Security

AU - Pletinckx, Stijn

AU - Trap, Cyril

AU - Doerr, Christian

PY - 2018/5/28

Y1 - 2018/5/28

N2 - In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. Domain generation algorithms (DGA) generate a list of candidate domain names, each valid for only a short time, at which the malware installation searches for its command & control (C&C) server. As DGAs generate a large list of potential domains - out of which one or a few is actually in use -, they leave a characteristic trace of many failed DNS lookups (NXDomain) in the network, and in result most DGAs can be efficiently detected. In this paper we describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in realtime, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses. We describe the concept of coordination via the blockchain, and report results on a year-long observation of the assets used in the Cerber campaign.

AB - In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. Domain generation algorithms (DGA) generate a list of candidate domain names, each valid for only a short time, at which the malware installation searches for its command & control (C&C) server. As DGAs generate a large list of potential domains - out of which one or a few is actually in use -, they leave a characteristic trace of many failed DNS lookups (NXDomain) in the network, and in result most DGAs can be efficiently detected. In this paper we describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in realtime, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses. We describe the concept of coordination via the blockchain, and report results on a year-long observation of the assets used in the Cerber campaign.

KW - threat intelligence

KW - blockchain

KW - ransomware

KW - C&C

KW - domain-generation-algorithm

KW - campaign analysis

U2 - 10.1109/CNS.2018.8433199

DO - 10.1109/CNS.2018.8433199

M3 - Conference contribution

SN - 978-1-5386-4587-1

SP - 1

EP - 9

BT - 2018 IEEE Conference on Communications and Network Security (CNS)

PB - IEEE

CY - Piscataway, NJ

Y2 - 30 May 2018 through 1 June 2018

ER -

Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this