Glupteba malware leverages blockchain as a communications channel

Glupteba malware does something novel: It uses the bitcoin blockchain as a communications channel to receive updated configuration information.

That’s important because malware always needs a way to go back to its home base, preferably without being detected, according to a paper released this week by Sophos Labs researchers.

The new form of malware sprinkles some of the old with the new to launch malware that can steal local PII on web browsers and then launch similar attacks from the victim’s home network.

But even as it blazes a new trail for maneuvering malware in the blockchain world, Glupteba uses one of the oldest tricks in the book: The malware preys on people’s unending desire to get something for nothing.

Andrew Brandt, a principal researcher at Sophos Labs, explained that Glupteba tends to prey on people who frequent piracy sites looking for popular graphics programs such as Adobe Illustrator.

“This is definitely a play for people working from home or people who have their kids at home,” Brandt says. “I don’t know what it is, people must know these sites are bad, but the lure is too strong. Glupteba tends to prey on people who don’t have a lot of money, but need the functionality of these software programs.”

Brandt would not disclose the damage Glupteba has caused and would not tie these activities to specific threat groups. However, while Sophos researchers don’t have any direct information about why the creators of Glupteba have made this malware, Brandt said a potential motive may be to create a network of machines in which they can sell access – mainly to other malware groups.

“We also know they have a component of their malware that steals passwords and other sensitive data from the infected machine, but we have no information about what they do with that information, and we’d prefer not to speculate whether they use it themselves, sell it onward, or do something else with it,” Brandt added.

According to a recent Sophos blog, while many of Glupteba’s self-protection components mean that it has many tricks available to stop itself showing up in the victim’s security logs, this complexity makes the malware less reliable, and ironically more prone to triggering security alarms at some point.

“Some of the low-level programming tricks it uses…not only don’t work on recent versions of Windows, but also often draw attention to themselves by the way they misbehave, up to and including crashing your computer with a giveaway blue screen of death,” the blog reported.

Despite these reassuring points, once Glupteba infects a machine, it has any number of ways to make its way on to networks and has been cleverly designed to evade defenders. Here are the main characteristics of Glupteba as outlined by Sophos Labs:  

  • Uses a rootkit to avoid detection. Glupteba includes a variety of Windows kernel drivers that hide the existence of specific files and processes. Kernel rootkits are unusual today because they’re complex to write and often draw unnecessary attention to themselves. If loaded successfully, rootkits help cybersecurity threats keep malware files off the radar of security tools.
  • Turns off security tools. The malware has a module that does its best to turn Windows Defender off, and then regularly checks to make sure it hasn’t turned itself back on. It also looks for other security tools, including antivirus software and system monitoring programs, killing them off so they can no longer search for and report anomalies.
  • Exploits EternalBlue. It uses two different variants of the EternalBlue exploit to distribute itself automatically across a network and then can use a home network as a launchpad to reach out just about anywhere else. That makes it more of an old-school, self-spreading computer worm rather than a standalone piece of malware.
  • Attacks home routers. The malware bundles in various exploits against popular home and small business routers, using the victim’s computer as a jumping off point for future attacks. This casts the victim as an attacker.
  • Steals browser data. Glupteba goes after local data from four browsers: Chrome, Firefox, Yandex and Opera – and then uploads them to the bad guys. Browser files often contain sensitive information such as URL history, authentication cookies and login details.
  • Leverages a cryptojacker. Along with everything else it does, Glupteba acts as a secret management tool for two different cryptomining tools. 

Charles Ragland, security engineer at  Digital Shadows, views Glupteba as an advanced piece of malware that’s capable of many common bot actions.

“The concept of bots being able to communicate back to a C2 (command and control) server to receive instructions is nothing new, however, the use of messages relayed via blockchain transactions is intriguing and novel,” Ragland says. “This is a clear demonstration of attackers modifying existing techniques to adapt new technologies to their arsenal and continue their activities in an obfuscated manner.”

And Hank Schless, senior manager, security solutions at Lookout, explained that given the increasing similarities in functionality between mobile devices and laptops, particularly the reliance on cloud services, this type of malware could just as easily get used to target mobile devices. 

“The components of this attack, such as the rootkit, virus, and browser stealer all have mobile equivalencies in the form of rooting or jailbreaking, hidden mobile malware, and screen overlay attacks,” Schless said. “Since anything that transacts cryptocurrency uses blockchain, this communication method could be altered to function on mobile malware, allowing a mobile app to covertly receive command and control instructions.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.