Glupteba Malware Uses Bitcoin Blockchain To Update C2 Domains

By   ISBuzz Team
Writer , Information Security Buzz | Sep 06, 2019 05:06 am PST

A new variant of the Glupteba malware dropper is using the Bitcoin blockchain to fetch command and control (C2) server domains from Bitcoin transactions marked with OP_RETURN script opcodes.

Glupteba has been previously distributed as a secondary payload by the Alureon Trojan as part of a 2011 campaign designed to push clickjacking contextual advertising, as well as by the threat actors behind Operation Windigo onto their targets’ Windows computers with the help of exploit kits in 2014, as discovered by ESET’s security research team. Four years later, in 2018, the malware dropper was again spotted by ESET while being disseminated by a malicious campaign via a Pay-Per-Install scheme, adding all the infected machines to an attacker-controlled botnet.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Richard Bejtlich
Richard Bejtlich , Principal Security Strategist
InfoSec Expert
September 6, 2019 1:11 pm

In a report published September 4, 2019, Trend Micro reported its analysis of a new variant of Glupteba malware, which primarily affects Windows systems and routers. Trend Micro discovered that Glubteba is now using the Electrum Bitcoin blockchain to distribute command-and-control information. Intruders controlling systems compromised by Glupteba can update their C2 server list by using a platform normally used for legitimate Bitcoin transactions. This clever mechanism makes it difficult to prevent updates to the C2 list without denying authorized use of Electrum. The idea to abuse blockchain technology in this specific manner was introduced in a 2015 research paper by Ali, McCorry, Lee, and Hao titled \”ZombieCoin: Powering Next-Generation Botnets with Bitcoin,\” but Glubteba may be the first criminal implementation. Enterprise defenders seeking to counter this activity can leverage network security monitoring data to look for Bitcoin-related traffic, as well as the URLs, IP addresses, and domains accompanying the Trend Micro report.

Last edited 4 years ago by Richard Bejtlich

Recent Posts

Would love your thoughts, please comment.x