Threat Management, Malware

Glupteba malware exploits Bitcoin transactions to keep C2 servers updated


A recently discovered variant of the Glupteba dropper and backdoor trojan is capable of deriving command-and-control domains via tracked Bitcoin transactions.

In addition to the primary backdoor payload, the Glupteba dropper also delivers two more components to victims' machines: a browser stealer and router exploit, according to a blog post this week from Trend Micro, authored by researchers Jaromir Horejsi and Joseph Chen.

The stealer payload is capable of swiping browsing history, website cookies, and account names and passwords from users of browsers such as Chrome, Opera. and Yandex. Meanwhile, the router exploit takes advantage of an old, patched MikroTik RouterOS vulnerability that allows remote authenticated attackers to write arbitrary files. A successful exploit allows the attackers to configure the router as a SOCKS proxy that they can route malicious traffic through in order to hide their true IP address.

"It seems the operators are still improving their malware and may be trying to extend their proxy network to internet of things (IoT) devices," the researchers report.

But it's Glupteba's C&C updating functionality that's particularly noteworthy. According to Trend Micro, the malware uses the discoverDomain function, which "enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash. This command then reveals all the related transactions."

"Then each transaction is parsed, searching for the OP_RETURN instruction," the blog post continues. "The pieces of data followed by OP_RETURN instruction are then used as parameters for AES decryption routine... This technique makes it more convenient for the threat actor to replace C&C servers. If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting."

This particular version of Glupteba was delivered via a malvertising campaign targeting file-sharing websites, Trend Micro reports.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.