Gluptepa malware using the Bitcoin blockchain to stay alive?

As per TrendMicro, cybersecurity researchers have discovered a new strain of the infamous Gluptepa malware. The malware uses the Bitcoin blockchain to stay alive. Analysts confirm that this strain is capable of invading systems to mine Monero and steal sensitive data like passwords and cookies. It also exploits a vulnerability in MicroTik routers to transform target machines into a SOCKS proxy. After that, it executes spam attacks on Instagram users.

The malware uses the Bitcoin blockchain to automatically update and run smoothly even if the antivirus software blocks its connection to remote command and control (C&C) servers run by the attackers. As investigated by TrendMicro’s researchers, Gluptega attackers will first send a Bitcoin transaction via the Electrum wallet. It will then make its way through a public list of the wallet’s servers to find every transaction made by the attacker. Within those transactions, Gluptega will exploit the OP_RETURN opcode containing the encrypted C&C domain. The domain gets decrypted by a ScriptHash string which is hardcoded within the malware.

TrendMicro said:

“This technique makes it more convenient for the threat actor to replace C&C servers. If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting.”

There are two ways to protect yourself against the malware - Don’t click on suspicious links and emails and ensure that your router’s firmware is up-to-date.