The operators of the Glupteba botnet resurfaced in June 2022 as part of a renewed and “upscaled” campaign, months after Google disrupted the malicious activity.
The ongoing attack is suggestive of the malware’s resilience in the face of takedowns, cybersecurity company Nozomi Networks said in a write-up. “In addition, there was a tenfold increase in TOR hidden services being used as C2 servers since the 2021 campaign,” it noted.
The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.
It’s also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.
Specifically, the botnet is designed to search the public Bitcoin blockchain for transactions related to wallet addresses owned by the threat actor so as to fetch the encrypted C2 server address.
“This is made possible by the OP_RETURN opcode that enables storage of up to 80 bytes of arbitrary data within the signature script,” the industrial and IoT security firm explained, adding the mechanism also makes Glupteba hard to dismantle as “there is no way to erase nor censor a validated Bitcoin transaction.”
The method also makes it convenient to replace a C2 server should it be taken down, as all that is needed for the operators is to publish a new transaction from the actor-controlled Bitcoin wallet address with the encoded updated server.
In December 2021, Google managed to cause a significant dent to its operations, alongside filing a lawsuit against two Russian nationals who oversaw the botnet. Last month, a U.S. court ruled in favor of the tech giant.
“While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them,” the internet behemoth pointed out in November.
Nozomi Networks, which examined over 1,500 Glupteba samples uploaded to VirusTotal, said it was able to extract 15 wallet addresses that were put to use by the threat actors dating all the way back to June 19, 2019.
The ongoing campaign that commenced in June 2022 is also perhaps the biggest wave in the past few years, what with the number of rogue bitcoin addresses jumping to 17, up from four in 2021.
One of those addresses, which was first active on June 1, 2022, has transacted 11 times to date and is used in as many as 1,197 artifacts, making it the most widely used wallet address. The last transaction was recorded on November 8, 2022.
“Threat actors are increasingly leveraging blockchain technology to launch cyberattacks,” the researchers said. “By taking advantage of the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for a variety of attacks, ranging from malware propagation to ransomware distribution.”