Glupteba โ€” the malware inside the Bitcoin blockchain

2020-07-21 |

Glupteba, like a lot of malware nowadays is what we call a zombie or a bot that can be controlled from basically anywhere by the people who wrote it.

Glupteba, like a lot of malware nowadays is what we call a zombie or a bot that can be controlled from basically anywhere by the people who wrote it. Not only that, but Glupteba also includes a range of components that let it perform other “functions” as well.

Image for post

What is this exactly and what can it do?

SophosLabs has a technical paper on the subject matter that can be an excellent reading for people who wish to delve into the specific details of it. Glupteba uses pretty much every cybercrime trick you’ve ever heard of — and, probably more. Here are some of the most interesting “features”.

  • rootkit — Glupteba includes a variety of Windows kernel drivers that can hide the existence of specific files and processes. If loaded successfully, rootkits can help cybersecurity threats lie low by stopping them from showing up in security logs.


  • virus — lupteba uses two different variants of the ETERNALBLUE exploit to distribute itself automatically across your own network, and anyone else’s it can find by reaching out from your computer.


  • router attack tool and browser data thief- using your computer as a jumping off point to attack other people by opening up unpatched routers to act as network proxies. Additionally, it goes after local data files from four different browsers and uploads them to the perpetrators’ site. These data often contain sensitive information such as URL history, authentication cookies, login details and even passwords that can’t be accessed by code such as JavaScript running inside the browser.


  • cryptojacker — Glupteba can act as a secretive management tool for two different crypto mining tools. Basically, the perps can get you to pay their power bills and take the cryptocoins for themselves.


Image for post

But wait, there’s more!

Glupteba uses the Bitcoin blockchain as a communication channel for receiving updated configuration information. to tell a bot to switch from one C&C server to another, you typically don’t need to send out much more than new domain name or IP number, so the current command-and-control servers that are used, known as C2 servers or C&Cs, might get found out and blocked or killed off at any moment, so zombie malware often includes a method for using an otherwise innocent source of data for updates. Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are accessible from most networks. To decrypt it, you need a 256-bit AES decryption key that’s coded into the the Glupteba malware program — when you decrypt the data from the block code to reverse the AES-256-GCM encryption, and you’ll reveal the hidden message.This sort of “hiding in plain sight” method is often referred to as steganography — read more about it here.

How bad is it and what can you do about it?

There are some good news and bad news on the subject matter: the former is that its complexity makes the malware less reliable, and more prone to triggering security alarms at some point; the latter is that its many self-protection components mean that it has many tricks available to stop itself showing up in your security logs. Glupteba also relies on numerous exploits that were patched many months or years ago — including the attacks it uses against routers — so a patched system is much less likely to get infected in the first place. Additional weakness is that its main delivery mechanism seems to be via “software cracks” on well-known piracy sites.

Image for post

As for countermeasures, there are three simple suggestions:

  • patch early, patch often — this goes for your operating system, your programs and apps and devices on your network


  • avoid shady software — if there is a “keygen” or a “crack” included in the install folder, you should consider the above

use decent antivirus and web filtering solutions — malware usually arrives as a series of downloads; so, even if you get hit by the first stage, you’ll have a better chance to weed out the malware from your system.


Enjoy reading? Please share:

Get the latest crypto news, updates and reports by subscribing to our free newsletter!