Glupteba - Time to Blow Away the Cobwebs

Did you think that the bitcoin blockchain was all about cryptocurrency? Now, its being leveraged by malware attackers to propagate their attack campaigns.

The scoop

Researchers at Sophos have deconstructed a malware strain - Glupteba - that has quite a few new tricks up its sleeves. One of these tricks includes concealing updates to its list of C2 servers by parsing and decrypting benign-looking comments in the bitcoin transaction blockchain.

Know your Glupteba facts

  • Glupteba employs the same method of propagation as that of the EternalBlue exploit and has been found to be related to the Shadow Brokers exploit.
  • Glupteba is a bot or zombie is a dropper for components that expand its capabilities.
  • Its capabilities include - maintaining stealth via a rootkit, lateral movement, and attacks against IoT devices such as MikroTik routers.

Where does the blockchain come into this?

  • Bitcoin transactions are recorded in the bitcoin blockchain which is a distributed public ledger.
  • To update its command-and-control (C2) servers, Glupteba contains a domain updater function that queries transaction data from the bitcoin blockchain.
  • It uses the hardcoded hash of transaction script history to find the appropriate transaction containing the encrypted C2 domain name in its OP_RETURN field.
  • It can also do this by searching a transaction list on blockchain[.]info for a specific transaction address, and looking at the latest transaction of the hardcoded addresses. 

The takeaway

Glupteba is a sneaky malware with many stealth capabilities that make it hard to detect and prevent its propagation. However, due to its complex nature, it is also unreliable. Hence, it is prone to triggering the security alarms at some point.