Researchers at Qihoo 360's Netlab security team discovered that the novel Orchard botnet
has been hiding its command-and-control infrastructure through domain names generated using the account transaction details of Bitcoin creator Satoshi Nakamoto, The Hacker News
Such C2 concealing technique is "more unpredictable," compared with time-generated domain generation algorithms, according to researchers, who noted that Orchard has already been revised thrice since its emergence in February 2021. Initially designed to facilitate additional payload deployment and command execution, as well as device and user data uploading, Orchard has been updated to enable the deployment of an XMRig mining program for Monero mining, as well as leverage the DGA algorithm in attacks.
"Over the past decade or so, small amounts of bitcoin have been transferred to this wallet on a daily basis for various reasons, so it is variable and that change is difficult to predict, so the balance information for this wallet can also be used as DGA input," researchers added.