Orchard Botnet has been seen using Bitcoin founder Satoshi Nakamoto’s account transaction information to create DGA domain names to obscure its C2 infrastructure. Researchers state that the technique is far more effective due to the uncertainty associated with Bitcoin transactions, making it highly difficult to defend against Orchard.
Infection summary
Since February 2021, Orchard botnet has undergone three transformations so far with this version being the latest one.
- Orchard employs DGA technology to install various malware on the victim's machine.
- Besides harvesting device and user information, this botnet infects USB storage devices to spread the malware.
- To date, over 3,000 hosts in China have been victimized by the malware, according to Netlab's analysis.
What’s new in Orchard botnet?
With Orchard’s latest version, users can launch an XMRig mining program to mine Monero by exploiting the compromised system's resources.
- Orchard’s recent version distinguishes itself from the first two in terms of how the DGA algorithm is used in the attacks.
- The first two variants relied heavily on date strings to create the domain names, while the latest version uses balance information obtained from the Bitcoin wallet address to generate separate DGA domains.
Conclusion
The introduction of Orchard botnet comes at a time when another IoT botnet malware codenamed RapperBot targets Linux servers. Orchard’s latest version has started using Bitcoin transaction information, which gives rise to the speculation that more Orchard variants are expected to emerge in the days to come.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f3ab_shutterstock_640377106.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_334486298.jpg)
