The primary goal is to be able to recover from offensive actions taken against the botnet, says Akamai researcher Evyatar Saias. The operators want to ensure that if domains are seized or IP addresses are null routed, they have an out-of-band method for communicating information that point infected systems to new C2 servers, he says. They leverage the blockchain to do that because it is decentralized and won t be taken down, Saias says.
The cryptocurrency-mining botnet malware that Akamai observed using the new technique is associated with a campaign called Skidmap that targets Linux machines, which Trend Micro first reported in September 2019. The malware exploits publicly known remote code execution vulnerabilities in technologies such as Hadoop YARN and Elasticsearch.