Orchard botnet uses Bitcoin Transaction info to generate DGA domains

Experts spotted a new botnet named Orchard using Bitcoin creator Satoshi Nakamoto’s account information to generate malicious domains.

360 Netlab researchers recently discovered a new botnet named Orchard that uses Satoshi Nakamoto’s Bitcoin account (1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa) transaction information to generate DGA domain name.

“Another change relates to the use of the DGA algorithm employed in the attacks. While the first two variants exclusively rely on date strings to generate the domain names, the newer version uses balance information obtained from the cryptocurrency wallet address “1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa.” reads the analysis published by the researchers. “It’s worth pointing out that the wallet address is the miner reward receiving address of the Bitcoin Genesis Block, which occurred on January 3, 2009, and is believed to be held by Nakamoto.”

“Over the past decade or so, small amounts of bitcoin have been transferred to this wallet on a daily basis for various reasons, so it is variable and that change is difficult to predict, so the balance information for this wallet can also be used as DGA input,” the researchers added.

According to the researchers, this technique is more unpredictable than using the common time-generated DGAs due to the uncertainty of Bitcoin transactions.

Because of the uncertainty of Bitcoin transactions, this technique is more unpredictable than using the common time-generated DGAs, and thus more difficult to defend against.

The researchers discovered three versions of this botnet since February 2021, they also noticed that its operators switched programming languages during the same period.

The bot allows operators to deploy

Read more

Explore the site

More from the blog

Latest News