Glupteba malware exploits Bitcoin transactions to keep C2 servers updated
A recently discovered variant of the Glupteba dropper and backdoor trojan is capable of deriving command-and-control domains via tracked Bitcoin transactions.
In addition to the primary backdoor payload, the Glupteba dropper also delivers two more components to victims’ machines: a browser stealer and router exploit, according to a blog post this week from Trend Micro, authored by researchers Jaromir Horejsi and Joseph Chen.
The stealer payload is capable of swiping browsing history, website cookies, and account names and passwords from users of browsers such as Chrome, Opera. and Yandex. Meanwhile, the router exploit takes advantage of an old, patched MikroTik RouterOS vulnerability that allows remote authenticated attackers to write arbitrary files. A successful exploit allows the attackers to configure the router as a SOCKS proxy that they can route malicious traffic through in order to hide their true IP address.
“It seems the operators are still improving their malware and may be trying to extend their proxy network to internet of things (IoT) devices,” the researchers report.
But it’s Glupteba’s C&C updating functionality that’s particularly noteworthy. According to Trend Micro, the malware uses the discoverDomain function, which “enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the
blockchain script hash history of the script with a hardcoded hash. This command then reveals all the related transactions.”
“Then each transaction is parsed, searching for the OP_RETURN instruction,” the blog post continues. “The pieces of data followed by OP_RETURN instruction are then used as parameters for AES decryption routine… This technique makes it more convenient for the threat actor to replace C&C servers. If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting.”
This particular version of Glupteba was delivered via a malvertising campaign targeting file-sharing websites, Trend Micro reports.