Full Report
Infrastructure mapping,EtherHiding C2,ASN analysis & blockchain pivoting (pt2)
Analysis Summary
# Tool/Technique: Remus Infostealer (Infrastructure & EtherHiding C2)
## Overview
Remus is an information stealer, considered a successor to the Lumma infostealer. It utilizes a sophisticated "EtherHiding" technique, leveraging Ethereum smart contracts as a decentralized configuration storage to hide and update its Command and Control (C2) domains. This allows the malware to remain resilient against traditional domain blacklisting and sinkholing.
## Technical Details
- **Type:** Malware family (Infostealer)
- **Platform:** Windows (implied by infostealer category and TTPs)
- **Capabilities:** Infostealing, blockchain-based C2 retrieval (EtherHiding), defense evasion.
- **First Seen:** Early March 2024 (per registration date analysis)
## MITRE ATT&CK Mapping
- **[TA0011 - Command and Control]**
- **[T1584.008 - Compromise Infrastructure: Web Services]** (Blockchain/Smart Contracts)
- **[T1102.003 - Web Service: One-Way Communication]** (Dead Drop Resolver via Ethereum)
- **[T1568.002 - Dynamic Resolution: Domain Generation Algorithms]** (Automated domain registration patterns)
- **[TA0005 - Defense Evasion]**
- **[T1564.010 - Hide Artifacts: EtherHiding]**
## Functionality
### Core Capabilities
- **EtherHiding C2:** The malware interacts with specific Ethereum smart contracts to pull the current C2 domain. This allows operators to change backend infrastructure without updating the malware binary.
- **Automated Infrastructure Deployment:** High concentration of `.biz` domains registered via Dynadot, often in bulk, hosted primarily on AS 47583 (Hostinger) and AS 206834 (Team Internet AG).
- **Data Exfiltration:** Uses central IP convergence points (specifically `185.53.179[.]128`) to collect stolen data.
### Advanced Features
- **Contract Iteration (Smart Contract Evolutions):**
- **DomainStorage:** Early version; basic read/write functions for strings.
- **DataStore v1:** Basic storage, public fields, minimal logging.
- **DataStore v2:** Introduces validation (strict `http://:` format and numeric ports), private data fields, and ownership transfer.
- **DataStore v3:** Gas-optimized, utilizes `immutable` owners, and strips all event logging to make rotation history invisible on the blockchain.
- **OpSec Hardening:** Later versions of the blockchain contracts remove "DomainUpdated" events to prevent researchers from using blockchain explorers (like Etherscan or Dune) to track C2 changes.
## Indicators of Compromise
### Network Indicators
- **C2 Domains:**
- `chalx[.]live`
- `fightwa[.]biz`
- `clou-dprotect[.]co`
- `verifi-cation[.]com`
- `interxo[.]biz`
- `siltsoh[.]biz`
- `adveryx[.]biz`
- `poxap[.]top`
- `clasl[.]pics`
- `lilyofz[.]cloud`
- `managew[.]biz`
- `nitroca[.]biz`
- **IP Addresses:**
- `185.53.179[.]128` (High-confidence exfiltration point)
- `103.211.219[.]238`
- `195.19.194[.]107`
- `65.21.104[.]235`
- **Ethereum Smart Contracts:**
- `0xd3b72fd8acfe7ddff21de37bee562df2fa32e287` (DataStore v1)
- `0x5b394cd35336688F3753C4ECF1f0fB996763f318` (DataStore v2)
- `0x39d689037e80cb54004d0943d927aa2b57cd5c0d` (DataStore v3)
- `0x999941b74F6bbc921D5174A5b29911562cd2D7CF` (DomainStorage)
## Associated Threat Actors
- **Remus Operators:** Likely Russian-speaking (indicated by Russian-language comments discovered within the DataStore v3 smart contract code).
## Detection Methods
- **Behavioral Detection:** Monitoring for processes attempting to query Ethereum JSON-RPC endpoints or blockchain explorers (e.g., `infura.io`, `etherscan.io`) from non-developer workstations.
- **Blockchain Monitoring:** Using platforms like Dune Analytics to monitor `DomainUpdated` or `DataUpdated` events on known Remus contracts.
- **Network Metadata:** Flagging unusual high-frequency traffic to `.biz` domains hosted on AS 47583 or AS 206834.
## Mitigation Strategies
- **Endpoint Protection:** Block access to common blockchain API providers if not required for business operations.
- **Network Filtering:** Restrict traffic to newly registered domains (NRDs) and block known malicious ASNs identified in the infrastructure mapping.
- **Execution Prevention:** Implement robust application whitelisting to prevent the initial infostealer payload from executing.
## Related Tools/Techniques
- **Lumma (LummaC2):** The predecessor to Remus with similar domain registration patterns.
- **EtherHiding:** The general technique of using blockchain as a persistent, censorship-resistant storage for C2 addresses.