A newly recognized botnet loader is shifting command-and-control (C2) operations onto the Polygon blockchain, eliminating the central servers that authorities and safety companies have traditionally focused to dismantle malicious networks.
Aeternum C2, uncovered by Qrator Analysis Lab whereas monitoring cybercrime boards, replaces standard infrastructure with sensible contracts hosted on the Polygon blockchain. As an alternative of speaking with hardcoded IP addresses or registered domains, contaminated machines retrieve directions written instantly to the blockchain, the place transactions are publicly recorded and can’t be eliminated.
For years, legislation enforcement businesses have disrupted operations akin to Emotet, TrickBot and QakBot by seizing servers or suspending domains. Aeternum seems to take away that weak level fully.
Utilizing Sensible Contracts For Control
In accordance to the vendor’s documentation and panel screenshots reviewed by Qrator, Aeternum is a local C++ loader supplied in x32 and x64 builds.
Operators handle infections by way of an online dashboard that lets them choose a sensible contract, select a command kind, and specify a payload URL. As soon as submitted, the instruction is written to the blockchain as a transaction and turns into accessible to bots querying greater than 50 distant process name endpoints.
The vendor claims new instructions attain energetic bots inside two to three minutes.
Operators can run a number of sensible contracts concurrently, every linked to completely different payloads or capabilities, together with:
-
Clipper modules
-
Info-stealing DLLs
-
PowerShell or batch scripts
-
Distant entry instruments and cryptocurrency miners
Read more on blockchain-based C2: North Korean Hackers Use EtherHiding to Steal Crypto
Blockchain information is replicated throughout 1000’s of nodes, which means there isn’t any central infrastructure to seize. Solely the pockets holder can subject or modify instructions tied to a given contract.
How the Mannequin Complicates Disruption Efforts
Conventional takedown methods depend on identifiable infrastructure. Domains could be suspended. Internet hosting suppliers can null-route IP addresses. Bodily servers could be confiscated. Even peer-to-peer (P2P) botnets have been weakened by focusing on bootstrap nodes.
Blockchain-based management modifications that equation. Instructions saved on-chain are successfully everlasting and globally accessible.
The distinction could be seen within the 2021 disruption of the Glupteba botnet, which Google said reduced infections by 78%. Glupteba used the Bitcoin blockchain as a backup channel, permitting it to recuperate months later. Aeternum, by comparability, seems to depend on blockchain as its major communication layer.
Operational prices are additionally low. The vendor advertises lifetime licences or full C++ supply code, noting that $1 in MATIC can fund 100-150 command transactions. No domains, rented servers or internet hosting suppliers are required.
“Conventional upstream takedowns grow to be more durable when the C2 channel is immutable, and even when each contaminated machine is remediated, the operator can redeploy utilizing the identical contracts with out rebuilding something,” Qrator wrote.
“This makes proactive DDoS mitigation extra vital than ever. If the botnet cannot be taken down on the supply, the one remaining defence is filtering its site visitors on the edge.”
