The Glupteba malware botnet has resurfaced once again with renewed vigor despite Google’s efforts to disrupt its operations nearly a year ago. A blockchain analysis conducted by industrial and IoT cybersecurity firm Nozomi Networks shows that it took Glupteba operators about six months to build a new campaign from scratch and distribute it in the wild, and this time on a much larger scale.
The newest campaign, which is ongoing, has been launched in June 2022, according to Nozomi. Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices. It is distributed via fraudulent ads or software cracks.
The researchers say there are several Glupteba modules aimed at exploiting vulnerabilities in various Internet of Things (IoT) appliances from vendors, such as MikroTik and Netgear.
“Surprisingly, Glupteba leverages the Bitcoin blockchain to distribute its Command and Control (C2) domains to infected systems. Apart from the fact that this is an uncommon technique, this mechanism is also extremely resilient to takedowns as there is no way to erase nor censor a validated Bitcoin transaction,” Nozomi's report notes. “Using the same approach that Glupteba is using to hide data within the blockchain, researchers can hunt for malicious transactions and recover their payloads. If the said domains are not stored in plaintext, reversing the Glupteba samples enables security researchers to decrypt the payload and access the embedded domains.”
The malware is designed to search the public Bitcoin blockchain for transactions related to wallet addresses owned by the threat actor so as to fetch the encrypted command and control (C&C) server address. This allows the botnet operators replace a C&C domain should it be taken down by sending a new transaction from the Bitcoin address distributing the domains.
Nozomi analyzed more than 1,500 Glupteba samples uploaded to VirusTotal, and was able to extract 15 wallet addresses that were used by the threat actors dating all the way back to June 19, 2019. The researchers believe that at least five different merchants and exchanges were used to fund the Glupteba addresses since 2019.
“In terms of resilience, we have seen how the actions Google took to disrupt the Glupteba botnet had an impact on the 2021 campaign, which we believe ended abruptly. Even with Google winning a favorable ruling recently, we hoped it would have inflicted a severe blow to Glupteba operations, but almost a year later we can say it most likely did not,” the researchers concluded.