Menace actors are more and more leveraging blockchain expertise to launch cyberattacks. By profiting from the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for quite a lot of assaults, starting from malware propagation to ransomware distribution.

The Glupteba trojan is an instance of a risk actor leveraging blockchain-based applied sciences to hold out their malicious exercise. On this weblog, Nozomi Networks Lab presents our newest findings on Glupteba and the way safety groups can seek for malicious exercise within the blockchain.

Organizations undergoing digital transformation need to focus on operational technology security.
Nozomi Networks Researchers have tracked Glupteba by means of the blockchain, figuring out 15 Glupteba bitcoin addresses spawning over 4 years, by means of 4 completely different campaigns.

What’s Glupteba?

Glupteba is a backdoor trojan that’s downloaded by way of Pay-Per-Set up networks – on-line advert campaigns that immediate software program or software downloads – in contaminated installers or software program cracks. As soon as Glupteba is energetic on a system, the botnet operators can deploy extra modules from the credential stealer to use kits compromising units on the goal community. There are a number of Glupteba modules aimed toward exploiting vulnerabilities in varied Web of Issues (IoT) home equipment from distributors, similar to MikroTik and Netgear.

Surprisingly, Glupteba leverages the Bitcoin blockchain to distribute its Command and Management (C2) domains to contaminated techniques. Other than the truth that that is an unusual approach, this mechanism can also be extraordinarily resilient to takedowns as there isn’t a technique to erase nor censor a validated Bitcoin transaction. Utilizing the identical strategy that Glupteba is utilizing to cover knowledge throughout the blockchain, researchers can hunt for malicious transactions and get better their payloads. If the stated domains will not be saved in plaintext, reversing the Glupteba samples permits safety researchers to decrypt the payload and entry the embedded domains.

Utilizing the Blockchain to Retailer Information

The Bitcoin blockchain can be utilized to retailer arbitrary knowledge. That is made doable by the OP_RETURN opcode that allows storage of as much as 80 bytes of arbitrary knowledge throughout the signature script. This storage mechanism has a number of benefits. First, it’s resilient to takedowns. As soon as a transaction has been validated, there isn’t a technique to erase it – that is the character of the blockchain. Utilizing this mechanism to distribute C2 area implies that regulation enforcement officers, community defenders, and incident responders haven’t any technique to take down the Bitcoin tackle and erase the transaction. The way in which the Bitcoin blockchain is constructed on high of contemporary cryptography additionally makes this mechanism safe; with out the Bitcoin tackle personal key, one can not ship a transaction with such a knowledge payload originating from the malicious tackle, therefore, taking up the botnet shouldn’t be doable. Moreover, risk actors can encrypt their payload from peering eyes, making the information storage scheme strong and price efficient.

This system has additionally been utilized by the Cerber ransomware prior to now. Bitcoin transactions originating from particular addresses have been monitored and the primary 6 characters of a vacation spot tackle have been used together with a .high TLD appended to> generate a website, which might be used to question the energetic C2 infrastructure.

Glupteba is thought to be utilizing the same mechanism counting on OP_RETURN as an alternative of vacation spot addresses to distribute its C2 domains. In case of a C2 area being taken down, the botnet operators solely have to ship a brand new transaction from the Bitcoin tackle distributing the domains and voila, the malware will regulate its configuration the subsequent time the C2 is refreshed. The latest identified Glupteba bitcoin transaction dates to the eighth of November 2022 with its embedded payload 000c0b0006171c11064d150a0b16.

The hexadecimal payload above doesn’t appear to signify something near a website identify and that’s as a result of Glupteba makes use of, in its newest variant, a XOR encryption scheme to guard the information. As soon as the bottom line is identified, sometimes by reverse engineering a pattern similar to c6d4ce67dd25764f571a84caa19fa6c2b067cae6, decrypting the information turns into easy; see a pattern of this decryption in Github.

The Evolution of Glupteba

Glupteba is thought to make use of the Bitcoin blockchain to distribute its C2 servers since at least 2019. To retrieve the Bitcoin transactions, a number of suppliers are used, normally and The Glupteba perform accountable for querying to retrieve the transaction knowledge is proven in Determine 1.

Figure 1. The Bitcoin address that contains the transactions with the command-and-control domains.
Determine 1. The Bitcoin tackle that accommodates the transactions with the command-and-control domains.

The way in which the domains are protected throughout the transactions has barely advanced over time. In 2019, Glupteba used AES-GCM to guard and embed the information within the bitcoin transactions. Every pattern was shipped with a hardcoded key and initialization vector enabling the pattern to decrypt the payload from the Bitcoin transaction. Determine 2 exhibits the decryption routine within the oldest Glupteba variations..

Figure 2. The Glupteba code calling the AES-GCM decryption routine.
Determine 2. The Glupteba code calling the AES-GCM decryption routine.

In newer variations of the malware, this scheme was switched to a easy XOR cipher, which is at present getting used. All samples we discovered have been utilizing the identical key: “cheesesauce”. Determine 3 exhibits this key being moved round in reminiscence within the perform accountable to decrypt the ciphertext.

Figure 3. The XOR cipher key is being loaded in the Glupteba decryption routine.
Determine 3. The XOR cipher secret’s being loaded within the Glupteba decryption routine.

Timeline of Occasions  

Given all that info, we went on a blockchain harvesting tour, scanning your entire Bitcoin blockchain for hidden C2 domains. We tried to decrypt the information payload of the OP_RETURN script current in every transaction of each block utilizing all of the algorithms and keys we all know to be related to Glupteba. As well as, we downloaded over 1500 Glupteba samples from VirusTotal and seemed on the pockets addresses they used to ensure we didn’t miss something. However that’s not all: the most recent set of TLS certificates Glupteba makes use of additionally displays a precise pattern within the Topic Different Names and, due to certificates transparency, this may be hunted for. Lastly, we additionally took an in depth have a look at the passive DNS information at our disposal to search out potential related domains and hosts.
This analysis gave us a large sequence of occasions we determined to summarize with the timeline under, exhibiting when actions have been taken by Glupteba operators.

Date Supply Description
2022-11-22 Passive DNS Area registration limeprime[.]org
2022-11-21 Passive DNS Area registration greenphoenix[.]xyz
2022-11-08 Blockchain Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace cdneurops[.]pics
2022-10-29 Blockchain
  • Pockets 1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr replace mastiakele[.]icu
  • Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace mastiakele[.]xyz
  • Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace cdneurops[.]buzz
  • Pockets 1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc replace cdneurops[.]store
  • Pockets 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs replace zaoshanghaoz[.]internet
  • Pockets 1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ  replace cdneurop[.]cloud
  • Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace cdneurop[.]cloud
  • Pockets 1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh replace cdneurops[.]well being
  • Pockets 1BqY56No1LR64AGcog4mF54UTPnjrPAPHz replace mastiakele[.]cyou
  • Pockets 1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc replace mastiakele[.]cyou
  • Pockets 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs replace zaoshanghaoz[.]internet
  • Pockets 1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr replace mastiakele[.]icu
  • Pockets 1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR replace mastiakele[.]ae[.]org
  • Pockets 1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6 replace zaoshang[.]ooo
  • Pockets 19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3 replace cdntokiog[.]studio
  • Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace cdntokiog[.]studio
  • Pockets 1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP` replace zaoshang[.]moscow
  • Pockets 15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP replace окрф[.]рф
  • Pockets 1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB replace zaoshang[.]ru
  • Pockets 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN replace zaoshanghao[.]su
  • 2022-10-28 Certificates Transparency Let’s encrypt certificates registration
    2022-10-28 Blockchain Pockets 1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG replace duniadekho[.]bar
    2022-10-27 Passive DNS Area registration cdneurops[.]pics mastiakele[.]icu mastiakele[.]xyz cdneurops[.]buzz cdneurops[.]store zaoshanghaoz[.]internet cdneurop[.]cloud cdneurops[.]well being mastiakele[.]cyou mastiakele[.]ae[.]org zaoshang[.]ooo cdntokiog[.]studio zaoshang[.]moscow окрф[.]рф zaoshang[.]ru zaoshanghao[.]su duniadekho[.]bar
    2022-10-26 Blockchain Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace checkpos[.]internet
    2022-10-25 Passive DNS Area registration checkpos[.]internet
    2022-10-01 Passive DNS Area registration revouninstaller[.]houses
    2022-09-30 Blockchain Pockets 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN replace tmetres[.]com
    2022-09-28 Passive DNS Area registration tmetres[.]com
    2022-08-12 Blockchain
  • Pockets 1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG replace 3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid[.]onion
  • Pockets 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN replace yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onion
  • 2022-08-12 Passive DNS Area registration getyourgift[.]life
    2022-07-04 Blockchain
  • Pockets 1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh replace x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd[.]onion
  • Pockets 1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP replace bihgkrr546ctjdn4mwr7x4bhvwz55sftx6xir6cwlfo6rhppd2eu7syd[.]onion
  • 2022-06-09 Blockchain Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion
    2022-06-07 Blockchain Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion
    2022-06-06 Blockchain
  • Pockets 1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh replace c43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd.onion
  • Pockets 1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc replace 2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onion
  • Pockets 1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ replace yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad.onion
  • Pockets 19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3 replace dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
  • Pockets 1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP replace c43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd.onion
  • Pockets 1BqY56No1LR64AGcog4mF54UTPnjrPAPHz replace 2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onion
  • Pockets 1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB replace dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
  • Pockets 15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP replace papmcl4r32awafck75y5446n252qqqq4h6c4y2slaayposrtfbcebdqd.onion
  • Pockets 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs replace c43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd.onion
  • 2022-06-03 Blockchain
  • Pockets 1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR replace 2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onion
  • Pockets replace 1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6 dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
  • Pockets replace 14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs papmcl4r32awafck75y5446n252qqqq4h6c4y2slaayposrtfbcebdqd.onion
  • Pockets replace 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad.onio
  • Pockets 1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh replace yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad.onio
  • 2022-06-01 Blockchain
  • Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
  • Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace maesvpovrwqfaqjw44bbeb2w62h6n7eyosbeit7rfrrdbyjymqaxfryd.onion
  • 2021-12-29 Blockchain Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97  replace dafflash[.]com
    2021-12-27 Blockchain Area registration dafflash[.]com
    2021-12-25 Blockchain Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace filimaik[.]com
    2021-12-13 Blockchain Pockets 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY replace 7owe32rodnp3vnx2ekqncoegxolkmb3m2fex5zu6i2bg7ktivhwvczqd.onion
    2021-12-12 Blockchain Pockets 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY replace r5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad.onion
    2021-12-10 Passive DNS Area registration godespra[.]com filimaik[.]com
    2021-12-09 Blockchain Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace
    2021-12-08 Blockchain Pockets 1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY replace
    2021-12-07 Blockchain Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace
    2021-12-06 Passive DNS Area registration
    2021-11-09 Blockchain Pockets 1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU replace newcc[.]com
    2021-10-19 Blockchain Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace nisdably[.]com
    2021-10-13 Blockchain Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace tyturu[.]com
    2021-10-11 Passive DNS Area registration tyturu[.]com
    2021-03-28 Passive DNS Area registration nisdably[.]com
    2020-05-13 Blockchain Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace maxbook[.]area
    2020-05-07 Blockchain Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace easywbdesign[.]com
    2020-04-08 Blockchain Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace sndvoices[.]com
    2020-04-02 Passive DNS Area registration easywbdesign[.]com sndvoices[.]com
    2020-03-28 Blockchain
  • Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace myinfoart[.]xyz
  • Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace gfixprice[.]xyz
  • Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace getfixed[.]xyz
  • 2020-03-15 Passive DNS Area registration maxbook[.]area
    2020-02-17 Blockchain Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace anotheronedom[.]com
    2020-02-17 Passive DNS Area Registration anotheronedom[.]com
    2020-02-14 Blockchain Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace sleepingcontrol[.]com
    2020-01-24 Blockchain Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace robotatten[.]com
    2020-01-23 Blockchain Pockets 34RqywhujsHGVPNMedvGawFufFW9wWtbXC replace robotatten[.]com
    2020-01-23 Passive DNS Area registration sleepingcontrol[.]com robotatten[.]com
    2019-06-19 Blockchain Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace venoxcontrol[.]com
    2019-06-14 Passive DNS Area registration venoxcontrol[.]com

    The 4 Glupteba Campaigns

    We have now been in a position to determine 15 Glupteba bitcoin addresses spawning over 4 years and what we imagine to be 4 completely different campaigns.

    Marketing campaign 1

    The oldest wave appears to have began in June 2019. Again then, just one single Bitcoin tackle was used to distribute the malicious domains. This additionally corroborates what Google came upon of their lawsuit in opposition to two Glupteba operators.

    Deal with First seen Final seen Transactions Variety of samples
    15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 2019-06-17 15:51 2020-05-13 13:02 16 54

    Determine 4 exhibits a graph of the tackle transactions. We will see the OP_RETURN transactions like 3Jt2U the place the funds bounce again to the 15y7d tackle. Curiously all of the remaining $36.18 on the 15y7d tackle have been despatched to the tackle 3Jwj7 in February 2020. No exercise has been noticed at that tackle since then.

    Figure 4. The graph shows the transaction to and from the address involved in the 2019 campaign.
    Determine 4. The graph exhibits the transaction to and from the tackle concerned within the 2019 marketing campaign.

    Marketing campaign 2

    The second wave appears to have began in April 2020, this time two Bitcoin addresses have been used to distribute the malicious C2 domains. Curiously we didn’t discover any samples utilizing the second tackle; it may very well be a testing tackle to make sure the Glupteba variants have been behaving as anticipated. As well as, the area distributed by way of the supposedly testing tackle deepsound[.]stay has not been seen in every other transactions we have been capable of finding throughout each addresses. It is also that we merely are lacking some samples.

    Deal with First Seen Final seen Transactions Variety of samples
    1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 2020-04-08 18:28 2021-10-19 17:28 11 87
    1bRfcRZVws98j3QQEZxrgRVd15vVF6zSU 2020-04-08 14:21 2020-04-08 15:49 2 0

    Right here the identical sample will be noticed on the principle tackle 1CgPC, after a interval of exercise, the remaining funds accounting for $28.45 have been transferred again to some vendor or service provider in November 2021. On the supposed check Bitcoin tackle, the funds weren’t transferred and stay to today on the account for a stability of $76.80. Determine 5 exhibits the transactions to and from each addresses.

    Figure 5. The graph shows the transaction to and from the addresses involved in the 2020 Glupteba campaign.
    Determine 5. The graph exhibits the transaction to and from the addresses concerned within the 2020 Glupteba marketing campaign.

    Marketing campaign 3

    The third marketing campaign begins in November 2021; the variety of bitcoin addresses used to ship malicious area doubled, from 2 in 2020 to 4 in 2021. This marketing campaign was the shortest of all, with a lifespan of solely about two months. We imagine that is seemingly resulting from Google efforts to take the botnet down, when about 1 12 months in the past Google filed a lawsuit against Glupteba two operators and several other actions have been taken to disrupt the botnet operations. That is additionally the primary time TOR hidden providers have been used as a command-and-control server by Glupteba.

    Deal with First seen Final seen Transactions Variety of samples
    1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 2021-10-13 15:20 2021-12-29 10:15 12 77
    12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY 2021-12-12 21:38 2021-12-13 21:14 3 3
    1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY 2021-12-08 15:57 2021-12-08 17:12 2 17
    1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU 2021-11-09 12:22 2021-11-09 12:49 2 0

    Glupteba operators used 4 wallets, with essentially the most energetic one being 1CUha as proven in Determine 6. Once more, there have been no remaining funds left on the Bitcoin addresses. That is additionally the oldest tackle on this marketing campaign and the one with the very best variety of transactions. Curiously, we weren’t capable of finding a single pattern referring to the tackle 1GLjC which we imagine might have been used for testing the malware, just like 2020. The area used newcc[.]com was additionally not registered on the time and will point out it was utilized in a testing setting or we may very well be lacking some samples.

    Figure 6. The graph shows the transaction to and from the addresses involved in the 2021 Glupteba campaign.
    Determine 6. The graph exhibits the transaction to and from the addresses concerned within the 2021 Glupteba marketing campaign.

    Marketing campaign 4

    The newest and ongoing marketing campaign began in June 2022, 6 months after the Google lawsuit, and this time the variety of malicious bitcoin addresses significantlh elevated. We imagine this is because of a number of components. First, having extra Bitcoin addresses makes safety researcher job extra difficult. Second, to indicate that the Google lawsuit didn’t have a significant impact on their Glupteba operations. For this marketing campaign we weren’t capable of finding any samples for 3 of the addresses we gathered. We imagine these addresses will not be made for testing as they distribute some domains present in different Bitcoin addresses for which we discovered samples. As well as, there was a tenfold improve in TOR hidden service getting used as C2 servers because the 2021 marketing campaign.

    Deal with First seen Final seen Transactions Variety of samples
    1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK 2022-06-01 14:16 2022-11-08 11:54 11 1197
    1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB  2022-06-03 13:59 2022-10-29 11:29 4 6
    1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6 2022-06-03 15:02 2022-10-29 11:37 4 6
    1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR 2022-06-03 14:33 2022-10-29 11:40 5 3
    1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr 2022-06-06 14:10 2022-10-29 12:07 6 6
    14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs 2022-06-03 14:56 2022-10-29 12:03 8 12
    15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP 2022-06-03 14:34 2022-10-29 11:30 6 48
    19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3 2022-06-06 13:51 2022-10-29 11:37 4 6
    1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh 2022-06-06 14:04 2022-10-29 11:43 4 3
    1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG 2022-06-07 08:51 2022-10-28 10:51 4 3
    1BqY56No1LR64AGcog4mF54UTPnjrPAPHz 2022-06-04 07:59 2022-10-29 11:41 4 3
    1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ 2022-06-04 02:35 2022-10-29 11:42 4 3
    1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc 2022-06-06 14:05 2022-10-29 12:10 6 3
    1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN  2022-06-03 13:55 2022-10-29 11:28 8 3
    1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP 2022-06-06 13:58 2022-10-29 11:33 6 0
    1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh 2022-06-03 14:05 2022-07-04 16:07 4 0
    1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd  2022-05-31 15:19 2022-10-29 12:04 8 0

    The transactions graphs proven in Determine 7 involving the addresses used within the 2022 marketing campaign present the upscaling of the operations since 2019. Lastly, we traced again these transactions even additional, and we imagine that a minimum of 5 completely different retailers and exchanges have been used to fund the Glupteba addresses since 2019.

    Figure 7. The graph shows the transaction to and from the addresses involved in the 2022 campaign.
    Determine 7. The graph exhibits the transaction to and from the addresses concerned within the 2022 marketing campaign.


    On this weblog, we’ve got proven how Glupteba will be hunted by following blockchain transaction, TLS certificates registrations, and by reverse engineering samples. We additionally had a have a look at how the blockchain can be utilized to retailer arbitrary knowledge and the way risk actors leverage this within the wild. As well as, we tried to shed some gentle on the Glupteba campaigns through the years. By way of resilience, we’ve got seen how the actions Google took to disrupt the Glupteba botnet had an affect on the 2021 marketing campaign, which we imagine ended abruptly. Even with Google winning a favorable ruling just lately, we hoped it will have inflicted a extreme blow to Glupteba operations, however virtually a 12 months later we are able to say it almost certainly didn’t. Certainly, it took Glupteba about six months to construct a brand new marketing campaign from scratch and distribute it within the wild, and this time on a a lot bigger scale.

    For defenders and responders, we strongly counsel blocking blockchain-related domains like but in addition Glupteba identified C2 domains in your setting. We additionally advocate monitoring DNS logs and maintaining the antivirus software program updated to assist stop a possible Glupteba an infection.

    Indicators of Compromise

    IOC Description
    cdneurops[.]pics C2 area 2022
    mastiakele[.]icu C2 area 2022
    mastiakele[.]xyz C2 area 2022
    cdneurops[.]buzz C2 area 2022
    cdneurops[.]store C2 area 2022
    zaoshanghaoz[.]internet C2 area 2022
    cdneurop[.]cloud C2 area 2022
    cdneurops[.]well being C2 area 2022
    mastiakele[.]cyou C2 area 2022
    zaoshanghaoz[.]internet C2 area 2022
    mastiakele[.]ae[.]org C2 area 2022
    zaoshang[.]ooo C2 area 2022
    cdntokiog[.]studio C2 area 2022
    zaoshang[.]moscow C2 area 2022
    zaoshang[.]ru C2 area 2022
    zaoshanghao[.]su C2 area 2022
    duniadekho[.]bar C2 area 2022
    checkpos[.]internet C2 area 2022
    dafflash[.]com C2 area 2021
    godespra[.]com C2 area 2021


    The submit Tracking Malicious Glupteba Activity Through the Blockchain appeared first on Nozomi Networks.

    *** It is a Safety Bloggers Community syndicated weblog from Nozomi Networks authored by Nozomi Networks Labs. Learn the unique submit at:

    Source link