On 21 March 2017, researchers identified RIG exploit kit distribution chains delivering the Ramnit malware to vulnerable systems in the U.K. and Canada. Researchers also identified a second malvertising chain on 25 March delivering both the Ramnit malware and a second-stage payload. Our own analysis of this second-stage payload indicates that it is the Smoke Loader trojan. In addition, we also determined that this payload is operating with a .bit domain, which is de-centralized and can only be resolved through the use of the Namecoin blockchain.
We’ve identified several additional relationships between this domain and nodes on the Namecoin blockchain, strongly suggesting that the actors responsible may be Russian or Russian-speaking and may have been distributing Smoke Loader and other malware since at least 16 December 2016, although the first confirmed date for this distribution is 24 February 2017.
Technical Details
When executed, the second stage payload sends DNS queries for legitimate domains and attempts to send POST requests to these locations. However, hidden within these requests is a DNS request for a .bit domain (zabugrom[.]bit) to a hardcoded DNS server (5.9.49[.]12) followed by a POST request to that domain (Figure 1). This domain serves as the command and control (C2) for the malware.
Figure 1: Network traffic from the second-stage payload identified by BroadAnalysis
Figure 2: Sample POST request to the malicious domain
This pattern of embedding these DNS and post requests within requests to legitimate domains, and the structure of the POST response (which contains additional plugins for the malware) are well-documented characteristics specific to Smoke Loader. Emerging Threats signatures corroborated this identification.
Infrastructure and Campaign Duration
Namecoin .bit domains rely on the Namecoin blockchain for resolution to IP addresses. Changes to these domains by their owners are logged with the date and time that such transactions take place. We used this information to identify additional domains and IP addresses associated with these actors.
Figure 3: A snippet of the Namecoin blockchain relationships identified in this research
We identified several key pieces of information through this analysis:
- The actors responsible likely own and use two .bit domains for operations: zabugrom[.]bit (mentioned above) and zabugor[.]bit (identified through this analysis)
- As of 11 March 2017, these domains resolve to 31.41.44.84 and 31.41.44.85 respectively.
- Both domains were registered on the Namecoin blockchain on 16 December 2016.
The proximity of these domains on the Namecoin blockchain, the temporal relationship between the registration of these domains and the last updates of these domains, and the consecutive nature of their resolved IP addresses strongly suggests that these domains are in use by the same actor.
Table 1: IP addresses used by these .bit domains
| d/zabugrom | 213.159.214.12 |
| d/zabugrom | 31.41.44.243 |
| d/zabugrom | 31.41.44.84 |
| d/zabugor | 31.41.44.85 |
| d/zabugor | 31.41.47.127 |
| d/zabugrom | 80.87.202.10 |
| d/zabugor | 82.146.33.30 |
| d/zabugor | 82.146.35.246 |
| d/zabugrom | 85.93.5.165 |
| d/zabugrom | 85.93.5.24 |
Table 2: Timeline of registration and resolution updates for these .bit domains
| d/zabugrom | 12/16/2016 |
| d/zabugrom | 12/16/2016 |
| d/zabugrom | 12/16/2016 |
| d/zabugor | 12/16/2016 |
| d/zabugor | 12/16/2016 |
| d/zabugor | 12/16/2016 |
| d/zabugrom | 12/17/2016 |
| d/zabugor | 12/17/2016 |
| d/zabugor | 12/18/2016 |
| d/zabugrom | 12/21/2016 |
| d/zabugor | 12/21/2016 |
| d/zabugor | 12/21/2016 |
| d/zabugrom | 1/5/2017 |
| d/zabugrom | 1/5/2017 |
| d/zabugrom | 1/14/2017 |
| d/zabugrom | 1/15/2017 |
| d/zabugrom | 3/11/2017 |
| d/zabugrom | 3/11/2017 |
| d/zabugor | 3/11/2017 |
| d/zabugor | 3/11/2017 |
In addition, both names translate to the slang phrase “over the hill” in Russian, and both currently resolved IP addresses are owned by CISHost, a Russian-based ISP, suggesting that the responsible actors may be Russian or Russian-speaking. This attribution is supported by a March 2014 claim that Smoke Loader is only available to Russian-speaking customers. The precise date on which these actors began actively using these domains following their creation is unknown, although a Hybrid Analysis report indicates that Zabugrom[.]bit has been in use since at least 24 February 2017.
The following indicators of compromise (IOC) are associated with the Smoke Loader malware:
| Type | Indicator | Notes |
| MD5 | 2fc67dbac8c1922127a27c417d30e8df | MD5 hash of analyzed Smoke Loader sample. |
| Domain | Zabugrom[.]bit | Domain confirmed to be used by Smoke Loader malware for C2 communications |
| Domain | Zabugor[.]bit | Domain suspected to be owned by Smoke Loader actors for use as a C2 |
| IP | 31.41.44.85 | IP address used by Zabugrom[.]bit. Owned by CIShost, a Russian hosting provider. |
| IP | 31.41.47.127 | IP address used by Zabugrom[.]bit. Owned by CIShost, a Russian hosting provider. |
| IP | 82.146.33.30 | IP address previously used by Zaubgrom[.]bit. Owned by JSC, a Russian based ISP. |
| IP | 82.146.35.246 | IP address previously used by Zabugrom[.]bit. Owned by JSC, a Russian based ISP. |
| IP | 213.159.214.12 | IP address previously used by Zabugor[.]bit. Owned by JSC, a Russian based ISP. |
| IP | 31.41.44.243 | IP address used by Zabugor[.]bit. Owned by CIShost, a Russian hosting provider. |
| IP | 31.41.44.84 | IP address used by Zabugor[.]bit. Owned by CIShost, a Russian hosting provider. |
| IP | 80.87.202.10 | IP address previously used by Zabugor[.]bit. Owned by JSC, a Russian based ISP. |
| IP | 85.93.5.165 | IP address previously used by Zabugor[.]bit. Owned by Emgoldex Ltd, a UAE-based ISP. |
| IP | 85.93.5.24 | IP address previously used by Zabugor[.]bit. Owned by Emgoldex Ltd, a UAE-based ISP. |
Article Link: https://blog.cyber4sight.com/2017/03/smoke-loader-trojan-using-bit-namecoin-blockchain-domains-for-command-and-control/