Categories: Bitcoin Business

Glupteba malware exploits Bitcoin transactions to keep C2 servers updated

Click here to view original web page at www.scmagazine.com

A recently discovered variant of the Glupteba dropper and backdoor trojan is capable of deriving command-and-control domains via tracked Bitcoin transactions.

In addition to the primary backdoor payload, the Glupteba dropper also delivers two more components to victims’ machines: a browser stealer and router exploit, according to a blog post this week from Trend Micro, authored by researchers Jaromir Horejsi and Joseph Chen.

The stealer payload is capable of swiping browsing history, website cookies, and account names and passwords from users of browsers such as Chrome, Opera. and Yandex. Meanwhile, the router exploit takes advantage of an old, patched MikroTik RouterOS vulnerability that allows remote authenticated attackers to write arbitrary files. A successful exploit allows the attackers to configure the router as a SOCKS proxy that they can route malicious traffic through in order to hide their true IP address.

“It seems the operators are still improving their malware and may be trying to extend their proxy network to internet of things (IoT) devices,” the researchers report.

But it’s Glupteba’s C&C updating functionality that’s particularly noteworthy. According to Trend Micro, the malware uses the discoverDomain function, which “enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash. This command then reveals all the related transactions.”

“Then each transaction is parsed, searching for the OP_RETURN instruction,” the blog post continues. “The pieces of data followed by OP_RETURN instruction are then used as parameters for AES decryption routine… This technique makes it more convenient for the threat actor to replace C&C servers. If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting.”

This particular version of Glupteba was delivered via a malvertising campaign targeting file-sharing websites, Trend Micro reports.

In addition to the primary backdoor payload, the Glupteba […]

cinerama

Illuminati, Mason, Anonymous I'll never tell. I can tell you this, global power is shifting and those who have the new intelligence are working to acquire this new force. You matter naught except to yourself, therefore prepare for the least expected and make your place in the new world order.

Disqus Comments Loading...
Share
Published by
cinerama

Recent Posts

Watford FC to brand Bitcoin logo on the jersey

The initiative is being carried out as a part of a brand partnership with sports betting site Sportsbet.io. Sportsbet.io's marketing… Read More

5 hours ago

Latest Bitcoin price and analysis (BTC to USD)

At the time of writing, Bitcoin (BTC) is trading at just above $10,300 after gaining about 1% since last week.BTC… Read More

5 hours ago

Johnstone: How To Defeat The Empire

Authored by Caitlin Johnstone via CaitlinJohnstone.com, One of the biggest and most consistent challenges of my young career so far… Read More

5 hours ago

Today’s Bitcoin Drop Driven by Massive Volume Influx

Bitcoin has been facing a bout of sideways trading for the past several days, but today’s drop to below $10,200… Read More

5 hours ago

L.A. to Choose Blockchain Pilot Project at CIS Conference

With a growing interest in blockchain solutions for government, the city of Los Angeles has partnered with organizers of a… Read More

5 hours ago

Bitcoin’s heading to a new all-time high along with the S&P 500, says Fundstrat’s Tom Lee

watch nowTalk about a bitcoin bull case.The digital currency is headed to new record highs, says Tom Lee, co-founder, managing… Read More

5 hours ago

This website uses cookies. We use these cookies to collect data about your interaction with our website for the purpose of continuously improving your experience with our site. For more information we encourage you to read our privacy policy.

Read More