A team of experts uncovers an eternal C2 infrastructure boasting sophisticated persistence mechanisms and effective network evasion tactics.

Over many decades, dismantling a botnet involved locating its control center, capturing the associated website, and observing the affected system cease functioning. The law enforcement utilized this technique to bring down significant criminal activities such as those involving Emotet, TrickBot, and QakBot.

An innovative new malware framework known as Aeternum C2 was crafted exclusively for this purpose: it stores all commands without relying on servers or domains; instead, these directives reside directly on the Polygon blockchain.

Commands by Aeternity reside within decentralized applications executed via smart contracts hosted on the Polygon platform, which is an open-source distributed ledger system spread over numerous global servers.

Given that there isn't an exclusive server for seizure or a specific domain for suspension, the system continues to function without interruption despite whatever decisions authorities or platforms might make.

Former defenders of networks using seized infrastructures for deconstruction must contend with an environment in which their strategies become ineffective; Aeternum is reported as being the initial commercial offering featuring blockchain technology integrated into Command & Control channels.

Analyzing data on cybercriminal activities by Qrator Labs' experts revealed an exploit known as Loader during their surveillance of malicious network operations; they observed its implementation using pure C++ code, accessible through versions targeting either 32-bit systems or those requiring 64-bit compatibility.

google

Investigators discovered that each sent to compromised devices gets logged in transactions on the Ethereum network's polygon chain. Bots access these instructions via publicly accessible Remote Procedure Call (RPC) interfaces.

The seller's records indicate that every operational bot receives software upgrades in approximately 2-3 minutes—faster and more reliable compared to conventional peer-to-peer networks of bots.

A botnet advertises itself for sale online through dark web marketplaces in two ways: it can be purchased under an annual subscription model ready for immediate use, or you may acquire its complete software specifications including all necessary modifications available at no cost but requiring continuous support services indefinitely.

The running expenses are minimal; it only requires $1 in MATIC tokens, which is equivalent to covering approximately 100 to 150 commands on the Polygon network.

Operating without renting server space or buying domain names significantly reduces the cost associated with sustaining an effective cybercriminal network, making such operations accessible to numerous malicious entities.

This framework for creating botnets has far-reaching consequences that extend beyond isolated attacks.

Upon deployment, these entities enable continuous growth without interruption, facilitating various malicious activities such as Distributed Denial of Service assaults, brute force login attempts, fraudulent clicks, misuse of service proxies, and unauthorized access to sensitive information.

A thorough clean-up of affected systems ensures operators' digital agreements remain unaffected; thus, they can swiftly deploy new versions whenever needed, avoiding the need for extensive reconfiguration.

Blockchain-Based C2: How Aeternum Operates and Evades Detection

Operators oversee all operations via an online management interface. Using this tool, an intruder chooses a digital agreement, decides on an attack method—whether affecting every botnet member, contacting a particular device via its unique identifier (HWD) code, or deploying a malicious DLL file—and finally submits a payload link before broadcasting the modification onto the cryptocurrency network.