Understanding the Aeternum C2 Botnet: A New Dawn in Cyber Threats
What is Aeternum C2?
Cybersecurity experts recently unveiled a sophisticated botnet loader known as Aeternum C2, which leverages blockchain technology for its command-and-control (C2) framework. This innovative structure grants the botnet a remarkable level of resilience, making it harder to dismantle compared to traditional server-based models.
According to Qrator Labs, the botnet ingeniously utilizes the Polygon blockchain to store its commands. By opting for a decentralized platform frequently used by various applications—including Polymarket, a prominent prediction market—Aeternum’s C2 infrastructure can remain effectively permanent and resistant to conventional takedown measures.
Previous Uses of Blockchain in Botnets
This isn’t the first instance where blockchain has been harnessed by cybercriminals. In 2021, Google reported disrupting a botnet called Glupteba, which relied on the Bitcoin blockchain for secondary C2 functionality. This reflects a growing trend in which cyber adversaries seek more durable and adaptable solutions for command transmission.
Features and Functionality of Aeternum C2
Initial revelations about Aeternum C2 surfaced back in December 2022, when Outpost24’s KrakenLabs discovered that a threat actor known as LenAI was marketing this malware on illicit online platforms. Offered at a base price of $200, the malware promises access to a user interface for controlling infected hosts. For more comprehensive access, including the entire C++ codebase and updates, the cost skyrockets to $4,000.
The malware is notably available in both 32-bit and 64-bit versions, operating by writing commands directly to smart contracts on the Polygon blockchain. Infected machines then read these commands by querying public remote procedure call (RPC) endpoints.
Managing Commands Through a Web Interface
A web-based panel facilitates the malware’s operation, allowing users to select smart contracts, choose command types, and specify payload URLs for delivery. Commands—whether targeting all infected endpoints or specific ones—are inscribed as blockchain transactions. Importantly, once a command is confirmed, it cannot be altered or revoked without authorization from the wallet holder.
Qrator Labs elaborates that operators can manage numerous smart contracts at once, each capable of executing different functions, from installing clipper malware to deploying remote access Trojans (RATs) and cryptocurrency miners.
Research Findings and Implications
Recent research from Ctrl Alt Intel reveals that the C2 panel functions as a Next.js web application. It allows operators to deploy smart contracts on the blockchain and retrieve encrypted commands that are decoded and executed on victims’ systems.
Aside from blockchain integration, Aeternum C2 incorporates various anti-analysis mechanisms designed to prolong infection durations. For instance, it can detect virtual environments to evade cybersecurity measures. Customers are also equipped with Kleenscan, a tool to verify that their builds aren’t flagged by antivirus software.
Low Operational Costs and Expansion Attempts
The operational expenses associated with running Aeternum C2 are surprisingly low; only $1 worth of MATIC, the Polygon network’s native token, can fund 100 to 150 command transactions. This lowers barriers for potential operators since there’s no requirement to rent servers or register domains—only a cryptocurrency wallet is necessary.
LenAI has become increasingly ambitious, attempting to sell the entire toolkit for $10,000. This buyer would not only receive operational rights but also further development insights that LenAI has yet to implement.
The Broader Context of Cybercrime
LenAI is also linked to another crimeware product called ErrTraffic, designed specifically to automate ClickFix attacks. This software generates deceptive errors on compromised sites, tricking users into following harmful prompts. The overall scenario underscores an evolving landscape of cyber threats.
Recently, Infrawatch disclosed details of a service that remotely deploys dedicated hardware into U.S. homes, integrating these devices into a residential proxy network, DSLRoot. This network is engineered to manipulate malicious traffic through the unsuspecting hardware.
Conclusion: What’s Next?
As the cyber threat environment becomes more complex with innovations like Aeternum C2, it emphasizes the urgent need for heightened cybersecurity protocols and awareness. Understanding the evolving strategies and technologies employed by cybercriminals will be vital in developing effective defenses against such pervasive threats.
