Select Page

A new botnet named Orchard has been observed using Bitcoin creator Satoshi Nakamoto’s account transaction information to generate domain names to conceal its command-and-control (C2) infrastructure.

“Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated [domain generation algorithms], and thus more difficult to defend against,” researchers from Qihoo 360’s Netlab security team said in a Friday write-up.

Orchard is said to have undergone three revisions since February 2021, with the botnet primarily used to deploy additional payloads onto a victim’s machine and execute commands received from the C2 server.

It’s also designed to upload device and user information as well as infect USB storage devices to propagate the malware. Netlab’s analysis shows that over 3,000 hosts have been enslaved by the malware to date, most of them located in China.

Orchard has also been subjected to significant updates in over a year, one of which entails a brief tryst with Golang for its implementation, before switching back to C++ in its third iteration.

images from Hacker News