September 10, 2019 By Douglas Bonderud 2 min read

A new strain of the Glupteba malware is cashing in on bitcoin transactions to continually update command-and-control (C&C) servers.

Discovered in 2011, the Glupteba Trojan has been used in multiple exploit kit attacks. Now, Trend Micro has identified a new strain that contains a browser stealer for sensitive data and a routine exploiter for MikroTik routers via the CVE-2018-14847 vulnerability. This version also contains a unique approach to updating its C&C servers: bitcoin transactions.

Using Blockchain to Update C&C Servers

Cutting links to C&C servers is an effective way to blunt the impact of malware infections. If malicious code strains can’t connect with data destinations, they often suspend operations or are rendered inert. As noted by The Next Web, however, the latest strain of Glupteba malware takes a new approach to continual connection by leveraging blockchain.

First, attackers use the Electrum bitcoin wallet to complete small transactions. These transactions include OP_RETURN data that contains encrypted C&C domain information. When Glupteba is activated on compromised devices, it uses a hardcoded ScriptHash string to seek out and decrypt this return data. This technique allows cybercriminals to sidestep typical security measures. If server links are severed, attackers simply make another bitcoin transaction to supply malware with a fresh C&C address.

A Range of Malicious Capabilities

While strains of Glupteba were often found as part of exploit kits, Bleeping Computer pointed out that the newest version relies on malvertising to force a dropper download and flood targets with multiple malware variants that enable malicious actors to download and execute files, take screenshots, compromise routers and turn infected devices into XMR mining machines.

In addition, the malware attempts to gain increased control over device functions by elevating privileges via the fodhelper method — fodhelper.exe naturally runs with high integrity, allowing attackers to bypass User Account Control (UAC) using custom registry entries — or identifying itself as a SYSTEM user by using stolen winlogon process tokens.

Breaking the Chain

Malicious emails and links are the top infection vector for malware threats such as Glupteba. Regular router patching is critical to avoid CVE-2018-14847 and similar vulnerabilities.

When it comes to the use of blockchain to deliver C&C addresses, IBM experts note that its nature — blockchain is code, and code can be flawed — combined with a dearth of industry expertise opens potential avenues of compromise. Breaking the chain demands both broad cloud security controls to manage transactions at scale and specific user identity oversight to limit the risk of accidental exposure.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today