Retrieving C2 updates through blockchain
Researchers explain that the malware can update its C2 server address through the blockchain via the function ‘discoverDomain’.
“The discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper. DiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash,” said the researchers in a blog post.
Once it infects a computer, the dropper starts collecting system info which is stored within the Windows registry. It is later encrypted with an AES cipher and uploaded to the malware’s C2 server with a POST request.
About stealer component
The stealer component of Glupteba malware includes the capability of extracting browser profiles, cookies, and passwords from Chrome, Opera and Yandex browsers.
About the router exploit component
Glupteba’s router exploiter searchers for the Mikro Tik routers vulnerable to CVE-2018-14847 vulnerability. Upon successful exploitation, the router’s admin credentials are harvested and sent to the malware’s C2 server.
"A compromised router will be configured as a SOCKS proxy to relay malicious traffic, matching the original purpose of the Glupteba botnet on Windows," added researchers.