Orchard is the name of a new botnet taking advantage of Bitcoin’s creator Satoshi Nakamoto’s account transaction information to generate DGA [Domain Generation Algorithms] domain names. This is done to conceal the botnet’s command-and-control infrastructure.
“Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated DGAs, and thus more difficult to defend against,” said 360 Netlab researchers in a recent blog post. The researchers discovered the technique in a family of botnets they called Orchard. Since February 2021, the botnet has released three versions, and has switched programming languages in between.
Why Is the Orchard Botnet Using DGA?
The purpose of using the DGA technique is simple – installing various other malware on the compromised machine. The botnet is equipped with a redundant command-and-control mechanism containing a hardcoded domain and DGA, with each version hard-coding a unique DuckDNS dynamic domain name as C&C.
The Orchard botnet is also capable of uploading device and user information and infecting USB devices to spread further. So far, at least 3,000 machines have been infected, most of which in China. The malware has been receiving multiple significant updates in the past year, and has switched from the Golang language to C++ for its third variant. The most recent version contains features to launch a XMRig mining program to mint Monero (XMR) by leveraging the victim’s computer resources.
In terms of infection scale, the research team evaluated that v1 and v2 have thousands of nodes, and v3 has less because of its late appearance. The functions the three versions have are the same, including:
- Uploading device and user information;
- Responding to commands and downloading to execute the next stage of the module;
- Infecting USB storage devices.
“At the time of writing, we found that other researchers had recently noticed this use of bitcoin account transaction information as DGA input for v3. The results of their analysis agreed with ours, but they did not notice that Orchard had actually been around for a long time,” the report noted.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: