paint-brush
Glupteba, a Blockchain-Enabled Modular Malware, Is Back in Actionby@induction
335 reads
335 reads

Glupteba, a Blockchain-Enabled Modular Malware, Is Back in Action

by Vision NPDecember 20th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Glupteba is a blockchain-backed trojan that uses a P2P network. This backdoor trojan has already infected many devices worldwide, including the US, India, Brazil, and many more. It is insanely a new technique to launch the attack by cybercriminals, utilizing the storage feature of distributed ledger technology (DLT)
featured image - Glupteba, a Blockchain-Enabled Modular Malware, Is Back in Action
Vision NP HackerNoon profile picture

Cybercriminals are using blockchain technology to launch cyberattacks by propagating malware and distributing ransomware on the internet. The Glupteba malware is back in action again and infects devices worldwide by leveraging blockchain technology.


What is Glupteba?

Glupteba is a blockchain-backed trojan that uses a P2P network. This trojan was initially discovered in 2014. A year ago, Google announced that it had taken action against the Glupteba botnet, but it appeared to be active again since June 2022 and is ongoing. This malware can infect Windows and IoT devices for the following primary purposes:


  • Mine cryptocurrencies (Cryptojacking)
  • Steal sensitive user credentials and cookies
  • Install a rootkit to control the bot, hide malware, and process as an administrator
  • Deploy and execute additional malware
  • Install unwanted software like browser extensions, ad displaying software, etc.

This backdoor trojan has already infected many devices worldwide, including the US, India, Brazil, and many more.

How was Glupteba discovered?

Nozomi Networks Labs discovered this trojan by scanning the blockchain to detect hidden C2 domains. They expended tremendous effort to see this trojan again, using more than 1,500 Glupteba samples to find the keys associated with the malware causing damage to devices. To understand more about Glupteba infrastructure, the Nozomi team analyzed the passive DNS records to find the domain associated with both Glupteba and the host. Finally, they compared them with TLS certificate sets used by the malware.

How does Glupteba work?

Essentially, Glupteba utilizes the Bitcoin blockchain to distribute its command and control (C2) domains to infected systems of various devices. The Bitcoin blockchain network allows storing of up to 80 bytes of arbitrary data within the signature script using OP_RETURN opcode. Cybercriminals take advantage of this new technique to launch attacks by utilizing the storage feature of distributed ledger technology (DLT). It is hard to take down, even for law enforcement officers, network defenders, and the victims because once the transactions are validated in the Bitcoin blockchain network, it forms immutable records and that means there’s no way to erase them.


Fig by Nozomi Networks Labs: The Bitcoin address contains the transactions with the command-and-control domains


So, attackers have utilized this blockchain mechanism to distribute C2 domains instead of using destination addresses. Once the botnet operator manages to spread C2 domains, he needs to send a transaction to configure malware that gets automatically reconfigured once C2 is refreshed on the infected devices.


The report has also suggested that Glupteba uses AES-GCM encryption to protect data in the BTC transaction.


Fig by Nozomi Networks Labs: The code calling the AES-GCM decryption routine


So this is the information about the Glupteba trojan. You can use the following method to detect whether or not this trojan infects your device.


How do you know if your device is Glupteba infected?

If your devices have Glupteba malware, you can see the following systems in the best-practiced conditions. Please note that sometimes, your devices may not exhibit these symptoms despite the presence of this trojan.


  • The trojan operators can mine crypto by using your computer’s resources, so your device battery keeps draining even without using a PC.
  • Overheating PC.
  • Glupteba is also capable of closing antivirus software. If you notice antivirus software repeatedly crashing, it can be due to malware infection.
  • Unwanted software running in the Task Manager list.

How to Portect Yourself from this malware and remove it from your device-if infected

Since removing malware is a complicated task once it gets injected into your PC, avoiding the installation of the malware is the best and safest practice in real life.

Here are a few tricks to prefer.

  • Don’t visit an untrusted website that exhibits aggressive ads. The Glupteba attackers prompt users to download malicious software via Malvertising ads.
  • Don’t download media and cracked software files from torrent or untrusted sites.
  • Always update, download, and exchange data via trusted networks and websites. Don’t use P2P networks for the above purposes.
  • Cybercriminals are continuously updating their malware, so keep your OS up to date.
  • Install the paid antivirus software solution with the best firewall to filter malicious ads, URLs, and suspicious downloads.
  • Tech literacy is essential to keep yourself safe from this sort of trojan.
  • Don’t open the link or file sent to your emails from untrusted senders.
  • Install the trusted miner-blocking and ads-blocking extensions on your browser.
  • If you think your device is already infected, antivirus software like Malwarebytes claims it can remove the Glupteba trojan. You can try this or other cybersecurity software.
  • The last tip is to stay up to date with the latest news and update.

Closing Notes:

Cybercriminals are using uncommon ways to launch attacks on various devices. This unique blockchain-backed malware is more dangerous than others because it is hard to detect and remove. This malware can hide malware files from the computer system, making it complex to remove. The best advice for you is to avoid installing malware on your PC and other IoT devices by following the cybersecurity guidelines.