Comment by Animats
14 hours ago
"It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time."
Does this mean firewalls now have to block all Ethereum endpoints?
Should something like a WordPress server not have a domain allowlist for outbound connections? Does WordPress need to connect to arbitrary domains?
That is a never-ending game of whack-a-mole. There are infinite places to put command and control data.
The attack has to find the control nodes. Domains and IP addresses can be turned off. With this approach, there's no way to stop the finding process even after the attack has been reverse-engineered, short of firewalling or shutting down crypto nodes.
What happens when Ethereum gets a takedown order?
More generally, what happens as the malware ecosystem integrates with the cryptocurrency ecosystem?