A new strain of the Glupteba malware is cashing in on bitcoin transactions to continually update command-and-control (C&C) servers.

Discovered in 2011, the Glupteba Trojan has been used in multiple exploit kit attacks. Now, Trend Micro has identified a new strain that contains a browser stealer for sensitive data and a routine exploiter for MikroTik routers via the CVE-2018-14847 vulnerability. This version also contains a unique approach to updating its C&C servers: bitcoin transactions.

Using Blockchain to Update C&C Servers

Cutting links to C&C servers is an effective way to blunt the impact of malware infections. If malicious code strains can’t connect with data destinations, they often suspend operations or are rendered inert. As noted by The Next Web, however, the latest strain of Glupteba malware takes a new approach to continual connection by leveraging blockchain.

First, attackers use the Electrum bitcoin wallet to complete small transactions. These transactions include OP_RETURN data that contains encrypted C&C domain information. When Glupteba is activated on compromised devices, it uses a hardcoded ScriptHash string to seek out and decrypt this return data. This technique allows cybercriminals to sidestep typical security measures. If server links are severed, attackers simply make another bitcoin transaction to supply malware with a fresh C&C address.

A Range of Malicious Capabilities

While strains of Glupteba were often found as part of exploit kits, Bleeping Computer pointed out that the newest version relies on malvertising to force a dropper download and flood targets with multiple malware variants that enable malicious actors to download and execute files, take screenshots, compromise routers and turn infected devices into XMR mining machines.

In addition, the malware attempts to gain increased control over device functions by elevating privileges via the fodhelper method — fodhelper.exe naturally runs with high integrity, allowing attackers to bypass User Account Control (UAC) using custom registry entries — or identifying itself as a SYSTEM user by using stolen winlogon process tokens.

Breaking the Chain

Malicious emails and links are the top infection vector for malware threats such as Glupteba. Regular router patching is critical to avoid CVE-2018-14847 and similar vulnerabilities.

When it comes to the use of blockchain to deliver C&C addresses, IBM experts note that its nature — blockchain is code, and code can be flawed — combined with a dearth of industry expertise opens potential avenues of compromise. Breaking the chain demands both broad cloud security controls to manage transactions at scale and specific user identity oversight to limit the risk of accidental exposure.

More from

Is It Time to Start Hiding Your Work Emails?

In this digital age, it is increasingly important for businesses to be aware of their online presence and data security. Many companies have already implemented measures such as two-factor authentication and strong password policies – but there is still a great deal of exposure regarding email visibility. It should come as no surprise that cyber criminals are always looking for ways to gain access to sensitive information. Unfortunately, emails are a particularly easy target as many businesses do not encrypt…

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…