Malware Uses Bitcoin Blockchain to Reproduce C2 Connections to Target Users

On September 4th, TrendMicro detailed on their blog information on the new variant of Glupteba that can utilize the bitcoin blockchain to reproduce itself.


s Blockchain technology continues to advance the threats against cyber security and our privacy advance as well. Most recently a known virus has evolved to use blockchain to infect end users’ devices.

IT Security firm TrendMicro warns of a new malware threat to Bitcoin Blockchain. On September 4th, TrendMicro detailed on their blog information on the new variant of Glupteba that can utilize the bitcoin blockchain to reproduce itself to bypass previous blocks of itself and update.

“We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users,” said TrendMicro, “In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wild,”

First discovered in 2011, Glupteba malware is distributed through advertising designed to spread viruses through script and can steal an infected devices’ information such as its browsing history, website cookies, and account names.

Photo by Markus Spiske on Unsplash

Additionally, the researchers report that the newest version of Glupteba can also mine the privacy-specialized monero cryptocurrency and it can threaten the security of Instagram users’ accounts by exploiting a pre-known vulnerability in MicroTik routers to transform the target machine into a SOCKS proxy to initiate widespread spam attacks.

“The activities of the actors behind Glupteba have been varied: they were suspected of providing proxy services in the underground, and were identified as using the EternalBlue exploit to move into local networks and run Monero (XMR) cryptocurrency miners,” wrote Jaromir Horejsi and Joseph C. Chen of TrendMirco.

How it Works

TrendMicro created an info graphic to show how the attack works and we’ve added it below. Essentially a target device is hit with an attack via an advert or a link that an unassuming end user might click on, this is known as “malvertising.” The virus then downloads itself on the user’s device.

Once downloaded it can connect to the hacker’s chosen server and gain access to the infected device’s information. Usually anti-virus software can catch the virus and block it form reconnecting to the server, but the recent strain of Glupteba can now use Bitcoin Blockchain to reconnect to the hackers’ server without anti-virus software noticing.

According to TrendMicro the malware can use Bitcoin to automatically update itself, ensuring that it runs even the remote C&C connection ran by the attackers is blocked. The actors behind Glupteba will first send Bitcoin transactions via the Electrum Bitcoin wallet, which was threatened by phishing campaign previously.

via TrendMicro 2019

The malware has been apparently programmed with a hardcoded ScriptHash string that makes its way through a public list of Electrum servers to find every transaction that was made by the attacker. Within those transactions is seemingly innocent OP_RETURN data which contains an encrypted C&C domain. The ScriptHash string is then used to decrypt that data.

TrendMicro said of the benefits to this process “If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting.”

Ultimately, anyone deciding to use cryptocurrencies, espeically BTC, runs the risk of explotation and cyber attacks. Always make sure you are well proctected by using security measures such as Two-Factor Authentication and avoiding any suspicious advertising materials online.

If you find this content useful, share it with your friends or on social media to spread bitcoin awareness! Visit our ReadBTC Forum to have discussions with fellow Crypto Enthusiasts.