Glupteba malware exploits Bitcoin transactions to keep C2 servers updated

September 6, 2019

A recently discovered variant of the Glupteba dropper and backdoor trojan is capable of deriving command-and-control domains via tracked Bitcoin transactions.

In addition to the primary backdoor payload, the Glupteba dropper also delivers two more components to victims' machines: a browser stealer and router exploit, according to a blog post this week from Trend Micro, authored by researchers Jaromir Horejsi and Joseph Chen.

The stealer payload is capable of swiping browsing history, website cookies, and account names and passwords from users of browsers such as Chrome, Opera. and Yandex. Meanwhile, the router exploit takes advantage of an old, patched MikroTik RouterOS vulnerability that allows remote authenticated attackers to write arbitrary files. A successful exploit allows the attackers to configure the router as a SOCKS proxy that they can route malicious traffic through in order to hide their true IP address.

"It seems the operators are still improving their malware and may be trying to extend their proxy network to internet of things (IoT) devices," the researchers report.

But it's Glupteba's C&C updating functionality that's particularly noteworthy. According to Trend Micro, the malware uses the discoverDomain function, which "enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash. This command then reveals all the related transactions."

"Then each transaction is parsed, searching for the OP_RETURN instruction," the blog post continues. "The pieces of data followed by OP_RETURN instruction are then used as parameters for AES decryption routine... This technique makes it more convenient for the threat actor to replace C&C servers. If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting."

This particular version of Glupteba was delivered via a malvertising campaign targeting file-sharing websites, Trend Micro reports.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Glupteba malware exploits Bitcoin transactions to keep C2 servers updated

Related

Chat GPT, QR codes, Boot Guard, Akira, SuperCare, Jason Wood, and More News – SWN #296

Leaked LockBit, Babuk code leveraged by Buhti ransomware operation

Cuba ransomware claims refuted by Philadelphia Inquirer

Related Events

Beauty in the Basics: Battling advanced ATO schemes with simple practices

Evening the Odds Against Overpowered Cyber Adversaries: A Business Impact Analysis

2023 CISO Cybersecurity Priorities

Get daily email updates