Threat Research

A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information

Securonix

Orchard is a botnet family that uses DGA technology to generate C2 domains, incorporating Bitcoin wallet transaction data as inputs to the DGA to increase unpredictability. It has evolved across three versions since 2021, combining hardcoded DuckDNS domains with domain-generation techniques and adding Monero mining capabilities in later stages. #Orchard #DuckDNS #Bitcoin #SatoshiNakamoto #Monroe #XMRig

Keypoints

  • Orchard is a botnet family that uses DGA technology with the core function of installing various malware on the victim’s machine.
  • From February 2021 to the present, we have detected 3 versions of Orchard samples, all using the DGA technique.
  • Orchard’s DGA algorithm has remained unchanged, but the use of dates has been changing, and the latest version also supports the use of bitcoin account information to generate separate DGA domains.
  • In addition to DGA, Orchard also hardcodes C2 domains.
  • Orchard is still active and dedicated to Monroe coin mining.
  • Orchard uses a redundant C2 mechanism of “hardcoded domain + DGA”, and each version hardcodes a unique DuckDNS dynamic domain name as C2.

MITRE Techniques

  • [T1568] Domain Generation Algorithms – DGA-based C2 domain generation using date strings and other inputs; “Orchard uses a redundant C2 mechanism of ‘hardcoded domain + DGA’, and each version hardcodes a unique DuckDNS dynamic domain name as C2.”
  • [T1105] Ingress Tool Transfer – C2 check-in and download/execute flow; “The information collected by v1 version includes: volume serial number (HWID)…” and “The bot in the check-in process will contact C2 to send the collected host information, and then wait for C2 response.”
  • [T1082] System Information Discovery – Collects host data like HWID, computer name, OS version, antivirus info; “The information collected by v1 version includes: volume serial number (HWID), computer name, user name, operating system name, system version, antivirus information…”
  • [T1055] Process Injection – Execution via puppet process and remote thread injection; “CreateProcess to create a process, puppet process, remote thread injection, etc.”
  • [T1091] Replication Through Removable Media – USB infection as propagation method; “All three versions support propagation by infecting USB disks…”
  • [T1496] Resource Hijacking – Cryptocurrency mining (XMRig) in v3; “mining-related hardware information” and “XMRig miner program” being used.
  • [T1027] Obfuscated/Compressed Files and Information – Loader protection with base64 encoding and virtualization packers (VMP, Enigma); “base64 encoded in the loader” and “virtualization packers such as VMP, Enigma, etc.”

Indicators of Compromise

  • [Domain] C2 domains – orcharddns.duckdns.org, orchardmaster.duckdns.org, ojena.duckdns.org, vgzero.duckdns.org, victorynicholas.duckdns.org, zamarin1.duckdns.org
  • [IP] C2 IP addresses – 45.61.185.36, 45.61.186.52, 45.61.187.240, 205.185.124.143, 45.61.185.231
  • [MD5] Hashes – 5c883ff8539b8d04be017a51a84e3af8, f3e0b960a48b433bc4bfe6ac44183b74
  • [Wallet] Bitcoin wallet – 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
  • [Mining] Private mining pool – 45.61.187.7:7733

Read more: https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/