When the botnet loses communication to a C2 domain—typically because there is some sort of law enforcement action—the botnet knows to go and scan the entire public Bitcoin blockchain and it looks for transactions between those three Bitcoin addresses,” said Plante. In other words, every time a C2 domain gets taken down, Glupteba can automatically reconstitute via a new domain address sent through the gang’s crypto wallets.
The decentralized nature of the blockchain means that there isn’t really any way to block these messages from going through, or to incapacitate the associated crypto addresses, said Plante.
WHY IT MATTERS: this article reports on the clever use of bitcoin blockchain to publish new command center address to make botnets resilient to take down actions. Clever, but unfortunately for bad purpose. Scroll towards the end of the article for the details.