Threat Research

Smargaft utilizes EtherHiding for covert C2 hosting | APNIC Blog

admin

XLab discovered a new botnet dubbed Smargaft that hosts immutable C2 configuration in Binance Smart Chain smart contracts (an abuse known as EtherHiding) and retrieves C2 via JSON-RPC eth_call. The bot supports DDoS vectors, socks5 proxy, worm-like propagation using multiple CVE exploits, and persistence by infecting .sh files and tampering with /proc. #Smargaft #EtherHiding #BinanceSmartChain

Keypoints

  • Smargaft uses smart contracts on Binance Smart Chain to store C2 addresses, making C2 persistent and hard to remove (EtherHiding).
  • Bots retrieve C2 by sending JSON-RPC eth_call requests to one of 14 hardcoded RPC endpoints and parsing the returned hex payload.
  • The smart contract address used by Smargaft is 0xdf2208d4902aa1ec9a0957132ca86a4e1d40455b; earlier test contracts and writes were observed in September–December 2023.
  • Propagation is worm-like: a downloader is deployed via multiple known vulnerabilities (e.g., CVE-2013-5948, CVE-2020-8515, LILIN/TVT DVR RCEs) to fetch the bot binary.
  • Runtime tasks include periodic GetC2 (every 3,000s), DDoS (every 8s), IP forwarding, persistence (every 100 hours), and a killer task; 15 text-based C2 commands implement multiple DDoS vectors and socks5 proxy.
  • Persistence techniques include appending bot execution lines to .sh scripts (virus-like infection) and mounting over /proc to hide process information from tools like netstat.
  • Captured artifacts: x86_64 UPX-packed sample (MD5 7f741495f14c828c20db4de6251673fd), C2 IPs embedded on-chain (e.g., 45.95.146.93), and use of port 81 for C2 control connections.

MITRE Techniques

  • [T1102] Web Service – Smargaft stores and manages C2 via on-chain smart contracts on Binance Smart Chain: “the developers of Smargaft configure and manage the C2 infrastructure through smart contracts, with the C2-related information ultimately stored on the blockchain.”
  • [T1071] Application Layer Protocol – Bots query the blockchain using JSON-RPC (eth_call) over HTTP to retrieve C2 without transactions: “Smargaft’s malicious software (bot samples) communicates with the blockchain network via JSON RPC to retrieve C2 information.”
  • [T1190] Exploit Public-Facing Application – Smargaft propagates by exploiting multiple known vulnerabilities to install a downloader: “Smargaft spreads by exploiting known vulnerabilities to propagate a Downloader onto target devices.”
  • [T1498] Network Denial of Service – The bot supports and executes multiple DDoS vectors (e.g., syn, udph, gre) controlled by C2 commands: “It mainly does Distributed Denial-of-Service (DDoS) attacks…the DDoS task connects with C2 on port 81 and sends a ready packet.”
  • [T1547] Boot or Logon Autostart Execution – Persistence is achieved by infecting .sh files so the bot is executed whenever infected scripts run: “Infect_sh function implements a virus-like infection for files with the .sh suffix… ensuring the bot gets executed every time such a script runs.”
  • [T1562] Impair Defenses – The malware mounts tmpfs/devpts/minix/sysfs onto /proc/pid to prevent process enumeration and hide itself from tools: “it mounts one of tmpfs, devpts, minix, or sysfs onto the /proc/pid directory… preventing tools that rely on the /proc filesystem from obtaining accurate information.”

Indicators of Compromise

  • [Contract address] Smargaft on-chain C2 contract – 0xdf2208d4902aa1ec9a0957132ca86a4e1d40455b (final), 0xe77c6a0E10F2A469fb2afa667C99180E186233a8 (test)
  • [C2 IPs] On-chain C2 list embedded in contract writes – 45.95.146.93, 94.103.188.167, 185.132.125.193 (and other C2 entries)
  • [Sample hash] Captured bot binary – MD5 7f741495f14c828c20db4de6251673fd (ELF x86_64, UPX-packed)
  • [RPC endpoints] Hardcoded RPC nodes used to query contracts – example: https://rpc.ankr.com/bsc (bots use 14 different RPC addresses)
  • [Exploits / Vulnerabilities] Used for initial access – CVE-2013-5948, CVE-2020-8515 (plus LILIN_DVR_RCE, TVT_API_RCE)
  • [Ports] Network characteristics – C2 control on port 81, DDoS observed to target port 17481, bot SYN source port 55555

Smargaft’s technical flow centers on using Binance Smart Chain smart contracts as immutable C2 storage: the operator writes C2 IP lists into contract storage (observed contract 0xdf2208d4902aa1ec9a0957132ca86a4e1d40455b) and bots issue JSON-RPC eth_call requests to public or private RPC endpoints (14 hardcoded RPC nodes are embedded) to fetch the latest C2 without creating on-chain transactions. Bots parse the returned hex result, extract a semicolon-separated list of addresses (example payload decoded to 45.95.146.93;94.103.188.167;185.132.125.193), test each address on port 81 by sending a 5-byte “readyx00” packet, and then use the first responsive C2 for tasking.

On compromised hosts the binary (ELF x86_64 UPX-packed sample MD5 7f741495f14c828c20db4de6251673fd) initializes a task chain and periodically performs GetC2 (every ~3,000s), DDoS (every ~8s), IP forwarding, persistence, and a killer routine. The DDoS task opens a text-based C2 session on port 81 and supports 15 commands implementing multiple vectors (ack, syn, gre, tcph, udpg, udph, httph, stomp, spoof_vse, spoof_syn, socket), socks5 proxy, exec, update, and kill. Example capture shows udph traffic targeting 43.249.192.173:17481.

Propagation is achieved by exploiting public-facing device vulnerabilities to install a downloader that fetches the bot (notable vulns include CVE-2013-5948 and CVE-2020-8515 plus DVR RCEs). For persistence, Smargaft appends execution lines to .sh scripts (a virus-like Infect_sh routine with configurable directory depth) and periodically mounts tmpfs/devpts/minix/sysfs over /proc/ to obstruct process enumeration tools (e.g., netstat), complicating detection and removal.

Read more: https://blog.apnic.net/2024/04/01/smargaft-harnesses-etherhiding-for-stealthy-c2-hosting/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint