Back in December 2022 we published an analysis of the Glupteba malware. Glupteba is a malware family distributed via Pay-Per-Install networks and infected software, which can deploy among others infostealers, cryptocurrency miners and modules aimed at exploiting IoT vulnerabilities on infected systems.
In the previous blog we showcased how the Glupteba operators leveraged the Bitcoin blockchain’s immutable and decentralised nature to setup a C2 distribution mechanism that’s extremely resilient to takedowns. Additionally, by scanning the Bitcoin blockchain and checking passive DNS logs and patterns in TLS certificates, we provided a timeline of events like C2 domain registrations and wallet transactions, clustering the activity into 4 individual campaigns.
Glupteba captured our attention due to its longevity, having been active for several years, and the extensive range of modules it can deploy to carry out a variety of malicious activities. Its ability to target not only traditional systems but also IoT devices makes it a versatile and potent threat. What sets Glupteba apart, however, are the more novel aspects of its architecture, such as its use of the Bitcoin blockchain for command-and-control communication, which demonstrates a sophisticated approach to resilience and evasion. Although the botnet is currently inactive, its architecture allows it to become operational again at any moment. We are excited to share our findings with the security community in a white paper, which provides a more comprehensive analysis of this malware and actionable insights to help detect and mitigate it.
Decentralized C2 Distribution Through the Bitcoin Blockchain
The main feature of Glupteba that originally caught our interest was its novel mechanism to distribute C2 addresses to infected machines, which utilizes the bitcoin blockchain. The bitcoin blockchain can be conceptualized as a distributed, append-only, public ledger recording bitcoin transactions.
Bitcoin is built on top of public-key cryptography, so a private key is used to sign transactions, and a public key is used to derive bitcoin addresses, which can be used as identifiers to send bitcoin to. Bitcoin transactions are public and can be viewed by anyone. Additionally, once a transaction has been validated and placed into a block, which becomes part of the blockchain, the transaction can no longer be reversed or censored in any way.
The bitcoin blockchain has several properties, which are useful for this C2 distribution mechanism used by the Glupteba botnet operators. In a nutshell, the way that the C2 distribution mechanism works is that Glupteba samples embed a bitcoin address. Using that bitcoin address, they use public APIs offered by blockchain explorer web services to find all the transactions originating from that bitcoin address. If a transaction is found, the infected machine will attempt to decrypt information stored within the transaction’s OP_RETURN field, which will point to a new C2 domain.
The bitcoin blockchain’s distributed nature, immutability, and transparency are particularly useful properties here. As long as the operators control the private keys associated with the addresses embedded in Glupteba samples, they are the only ones who can announce new C2 domains. Furthermore, transactions cannot be censored by anyone and are publicly available for anyone to view, which allows infected systems to look them up. Using the blockchain provides an elegant method to achieve takedown resistance for the botnet.
Nozomi Networks Labs conducted an in-depth investigation of the Glupteba malware. In our whitepaper, we provide:
- An analysis of the main dropper
- Bot configuration
- Anti-VM techniques
- Embedded kernel drivers
- Network interaction with C2
- Actionable network-based IOC
- Timeline of the botnet’s operation
Conclusion
Malicious actors are constantly driven to innovate, developing new and sophisticated methods to infiltrate systems and maintain control over compromised devices in a more resilient manner. This allows them to extend the lifespan of their operations while minimizing the risk of detection and shutdown by security measures. By continuously evolving their tactics, these attackers aim to stay ahead of countermeasures, ensuring that their campaigns remain effective for as long as possible while avoiding takedown attempts from cybersecurity teams and law enforcement. Glupteba's reliance on the transparent nature of the Bitcoin blockchain provided us with critical insights into the timeline of the threat actor's activities. By analyzing blockchain transactions, we were able to discover domains used as command & control servers, identify key operational phases, and map out a clearer picture of how and when the actor conducted their operations.
