Nozomi researchers track malicious Glupteba trojan activity through blockchain technology

Researchers from Nozomi Networks Labs announced Thursday that the Glupteba trojan is an example of a hacker leveraging blockchain-based technologies to carry out their malicious activity. The backdoor trojan is downloaded using ‘Pay-Per-Install’ networks – online ad campaigns that prompt software or application downloads – in infected installers or software cracks. 

“Once Glupteba is active on a system, the botnet operators can deploy additional modules from the credential stealer to exploit kits compromising devices on the target network,” researchers identified in a blog post. “There are several Glupteba modules aimed at exploiting vulnerabilities in various Internet of Things (IoT) appliances from vendors, such as MikroTik and Netgear.”

Surprisingly, Glupteba leverages the Bitcoin blockchain to distribute its Command and Control (C2) domains to infected systems. Nozomi noted. “Apart from the fact that this is an uncommon technique, this mechanism is also extremely resilient to takedowns as there is no way to erase nor censor a validated Bitcoin transaction.” 

The post added that using the same approach that Glupteba is using to hide data within the blockchain, researchers can hunt for malicious transactions and recover their payloads. “If the said domains are not stored in plaintext, reversing the Glupteba samples enables security researchers to decrypt the payload and access the embedded domains.”

In April this year, ​​U.S. agencies warned critical infrastructure and financial sector organizations in the blockchain technology and cryptocurrency industry of potential cyber threats associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group, identified as ‘TraderTraitor’ by the U.S. government since at least 2020.

The San Francisco, California-based industrial cybersecurity company called upon defenders and responders to block blockchain-related domains like ‘blockchain[dot]info’ and Glupteba known C2 domains in the environment. “We also recommend monitoring DNS logs and keeping the antivirus software up to date to help prevent a potential Glupteba infection,” it added.

Nozomi identified 15 Glupteba bitcoin addresses spawning over four years, across what the researchers have labeled as four different campaigns.

In the first campaign, Nozomi researchers said that the oldest wave seems to have started in June 2019. “Back then, only one single Bitcoin address was used to distribute the malicious domains. This also corroborates what Google found out in their lawsuit against two Glupteba operators,” they added. 

“We can see the OP_RETURN transactions like 3Jt2U where the funds bounce back to the 15y7d address,” the post added. “Interestingly all the remaining $36.18 on the 15y7d address were sent to the address 3Jwj7 in February 2020. No activity has been observed at that address since then.”

The second wave seems to have started in April 2020, this time two Bitcoin addresses were used to distribute the malicious C2 domains, Nozomi revealed. “Interestingly we did not find any samples using the second address; it could be a testing address to ensure the Glupteba variants were behaving as expected. In addition, the domain distributed via the supposedly testing address deepsound[dot]live has not been seen in any other transactions we were able to find across both addresses. It could also be that we simply are missing some samples.”

“Here the same pattern can be observed on the main address 1CgPC, after a period of activity, the remaining funds accounting for $28.45 were transferred back to some vendor or merchant in November 2021,” the researchers said. “At the supposed test Bitcoin address, the funds were not transferred and remain to this day on the account for a balance of $76.80.”

The third campaign started last November, while the number of bitcoin addresses used to deliver malicious domains doubled, from two in 2020 to four in 2021, Nozomi said. “This campaign was the shortest of all, with a lifespan of only about two months. We believe this is likely due to Google efforts to take the botnet down when about a 1 year ago Google filed a lawsuit against Glupteba two operators, and several actions were taken to disrupt the botnet operations. This is also the first time TOR hidden services were used as a command-and-control server by Glupteba,” it added.

Glupteba operators used four wallets, with the most active one being 1CUha, Nozomi identified. “Again, there were no remaining funds left on the Bitcoin addresses. This is also the oldest address in this campaign and the one with the highest number of transactions. Interestingly, we were not able to find a single sample referring to the address 1GLjC which we believe could have been used for testing the malware, similar to 2020. The domain used newcc[dot]com was also not registered at the time and could indicate it was used in a testing environment or we could be missing some samples,” it added.

The latest and ongoing campaign started in June this year, six months after the Google lawsuit, and this time the number of malicious bitcoin addresses significantly increased, Nozomi disclosed. “We believe this is due to several factors. First, having more Bitcoin addresses makes security researcher job more complicated. Second, to show that the Google lawsuit did not have a major effect on their Glupteba operations.” 

“For this campaign, we were not able to find any samples for 3 of the addresses we gathered,” according to Nozomi. “We believe these addresses are not made for testing as they distribute some domains found in other Bitcoin addresses for which we found samples. In addition, there was a tenfold increase in TOR hidden service being used as C2 servers since the 2021 campaign.”

Lastly, “we traced back these transactions even further, and we believe that at least five different merchants and exchanges were used to fund the Glupteba addresses since 2019,” the post added.

The Nozomi researchers said that the Blockchain technique has also been used by the Cerber ransomware in the past. Bitcoin transactions originating from specific addresses were monitored and the first 6 characters of a destination address were used along with a .top TLD appended to> generate a domain, which would be used to query the active C2 infrastructure.

“Glupteba is known to be using a similar mechanism relying on OP_RETURN instead of destination addresses to distribute its C2 domains,” the researchers said. “In case of a C2 domain being taken down, the botnet operators only need to send a new transaction from the Bitcoin address distributing the domains and voila, the malware will adjust its configuration the next time the C2 is refreshed. The latest identified Glupteba bitcoin transaction dates to the 8th of November 2022 with its embedded payload 000c0b0006171c11064d150a0b16,” they added.

Earlier this month, Nozomi released a technical analysis of the core of the Meris botnet capabilities. The team identified that from about 2018 to 2021, the Glupteba botnet, the backbone of the Meris botnet, has been used to infect and turn hundreds of thousands of MikroTik devices into nefarious internet relays. One of the main Glupteba modules used is called WindiGo (aka RanaumBot), which uses the Winbox payload, a proprietary protocol used to configure MikroTik devices.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.