Orchard is the name of a new botnet leveraging Bitcoin creator Satoshi Nakamoto’s account transaction information to generate DGA [Domain Generation Algorithms] domain names. This is done to hide the command and control infrastructure of the botnet.
Orchard is said to have undergone three patches since February 2021, with the botnet being used primarily to drop additional payloads onto the victim’s computer and to execute commands received from the C2 server.
Due to the uncertainty of Bitcoin transactions, this technique is more unpredictable than using common time-generated DGAs, and therefore more difficult to defend against,” said 360 Netlab Researchers in a recent blog post. The researchers they discovered the technique in a family of botnets they named Orchard. Since February 2021, the botnet has released three versions, changing programming languages in between.
In particular, it is designed to charge devices and users as well as infect USB storage devices to spread malware. Netlab’s analysis shows that more than 3,000 hosts have been enslaved by the malware to date, most of them located in China.
Another change is related to the use of the DGA algorithm used in the attacks. While the first two variants rely solely on date strings to generate domain names, the newer version uses balance information obtained from the cryptocurrency wallet address “1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa”. And it is in this wallet address is the Bitcoin miner’s reward receiving address. Genesis Block which occurred on January 3, 2009 and is believed to be in the hands of Nakamoto.
