Menace actors are more and more leveraging blockchain expertise to launch cyberattacks. By profiting from the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for quite a lot of assaults, starting from malware propagation to ransomware distribution.
The Glupteba trojan is an instance of a risk actor leveraging blockchain-based applied sciences to hold out their malicious exercise. On this weblog, Nozomi Networks Lab presents our newest findings on Glupteba and the way safety groups can seek for malicious exercise within the blockchain.
Glupteba is a backdoor trojan that’s downloaded by way of Pay-Per-Set up networks – on-line advert campaigns that immediate software program or software downloads – in contaminated installers or software program cracks. As soon as Glupteba is energetic on a system, the botnet operators can deploy extra modules from the credential stealer to use kits compromising units on the goal community. There are a number of Glupteba modules aimed toward exploiting vulnerabilities in varied Web of Issues (IoT) home equipment from distributors, similar to MikroTik and Netgear.
Surprisingly, Glupteba leverages the Bitcoin blockchain to distribute its Command and Management (C2) domains to contaminated techniques. Other than the truth that that is an unusual approach, this mechanism can also be extraordinarily resilient to takedowns as there isn’t a technique to erase nor censor a validated Bitcoin transaction. Utilizing the identical strategy that Glupteba is utilizing to cover knowledge throughout the blockchain, researchers can hunt for malicious transactions and get better their payloads. If the stated domains will not be saved in plaintext, reversing the Glupteba samples permits safety researchers to decrypt the payload and entry the embedded domains.
Utilizing the Blockchain to Retailer Information
The Bitcoin blockchain can be utilized to retailer arbitrary knowledge. That is made doable by the
OP_RETURN opcode that allows storage of as much as 80 bytes of arbitrary knowledge throughout the signature script. This storage mechanism has a number of benefits. First, it’s resilient to takedowns. As soon as a transaction has been validated, there isn’t a technique to erase it – that is the character of the blockchain. Utilizing this mechanism to distribute C2 area implies that regulation enforcement officers, community defenders, and incident responders haven’t any technique to take down the Bitcoin tackle and erase the transaction. The way in which the Bitcoin blockchain is constructed on high of contemporary cryptography additionally makes this mechanism safe; with out the Bitcoin tackle personal key, one can not ship a transaction with such a knowledge payload originating from the malicious tackle, therefore, taking up the botnet shouldn’t be doable. Moreover, risk actors can encrypt their payload from peering eyes, making the information storage scheme strong and price efficient.
This system has additionally been utilized by the Cerber ransomware prior to now. Bitcoin transactions originating from particular addresses have been monitored and the primary 6 characters of a vacation spot tackle have been used together with a
.high TLD appended to> generate a website, which might be used to question the energetic C2 infrastructure.
Glupteba is thought to be utilizing the same mechanism counting on
OP_RETURN as an alternative of vacation spot addresses to distribute its C2 domains. In case of a C2 area being taken down, the botnet operators solely have to ship a brand new transaction from the Bitcoin tackle distributing the domains and voila, the malware will regulate its configuration the subsequent time the C2 is refreshed. The latest identified Glupteba bitcoin transaction dates to the eighth of November 2022 with its embedded payload
The hexadecimal payload above doesn’t appear to signify something near a website identify and that’s as a result of Glupteba makes use of, in its newest variant, a XOR encryption scheme to guard the information. As soon as the bottom line is identified, sometimes by reverse engineering a pattern similar to c6d4ce67dd25764f571a84caa19fa6c2b067cae6, decrypting the information turns into easy; see a pattern of this decryption in Github.
The Evolution of Glupteba
Glupteba is thought to make use of the Bitcoin blockchain to distribute its C2 servers since at least 2019. To retrieve the Bitcoin transactions, a number of suppliers are used, normally blockchain.com and blockstream.data. The Glupteba perform accountable for querying blockchain.com to retrieve the transaction knowledge is proven in Determine 1.
The way in which the domains are protected throughout the transactions has barely advanced over time. In 2019, Glupteba used AES-GCM to guard and embed the information within the bitcoin transactions. Every pattern was shipped with a hardcoded key and initialization vector enabling the pattern to decrypt the payload from the Bitcoin transaction. Determine 2 exhibits the decryption routine within the oldest Glupteba variations.
In newer variations of the malware, this scheme was switched to a easy XOR cipher, which is at present getting used. All samples we discovered have been utilizing the identical key: “cheesesauce”. Determine 3 exhibits this key being moved round in reminiscence within the perform accountable to decrypt the ciphertext.
Timeline of Occasions
Given all that info, we went on a blockchain harvesting tour, scanning your entire Bitcoin blockchain for hidden C2 domains. We tried to decrypt the information payload of the
OP_RETURN script current in every transaction of each block utilizing all of the algorithms and keys we all know to be related to Glupteba. As well as, we downloaded over 1500 Glupteba samples from VirusTotal and seemed on the pockets addresses they used to ensure we didn’t miss something. However that’s not all: the most recent set of TLS certificates Glupteba makes use of additionally displays a precise pattern within the Topic Different Names and, due to certificates transparency, this may be hunted for. Lastly, we additionally took an in depth have a look at the passive DNS information at our disposal to search out potential related domains and hosts.
This analysis gave us a large sequence of occasions we determined to summarize with the timeline under, exhibiting when actions have been taken by Glupteba operators.
|2022-11-22||Passive DNS||Area registration limeprime[.]org|
|2022-11-21||Passive DNS||Area registration greenphoenix[.]xyz|
|2022-11-08||Blockchain||Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace cdneurops[.]pics|
|2022-10-28||Certificates Transparency||Let’s encrypt certificates registration|
|2022-10-28||Blockchain||Pockets 1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG replace duniadekho[.]bar|
|2022-10-27||Passive DNS||Area registration cdneurops[.]pics mastiakele[.]icu mastiakele[.]xyz cdneurops[.]buzz cdneurops[.]store zaoshanghaoz[.]internet cdneurop[.]cloud cdneurops[.]well being mastiakele[.]cyou mastiakele[.]ae[.]org zaoshang[.]ooo cdntokiog[.]studio zaoshang[.]moscow окрф[.]рф zaoshang[.]ru zaoshanghao[.]su duniadekho[.]bar|
|2022-10-26||Blockchain||Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace checkpos[.]internet|
|2022-10-25||Passive DNS||Area registration checkpos[.]internet|
|2022-10-01||Passive DNS||Area registration revouninstaller[.]houses|
|2022-09-30||Blockchain||Pockets 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN replace tmetres[.]com|
|2022-09-28||Passive DNS||Area registration tmetres[.]com|
|2022-08-12||Passive DNS||Area registration getyourgift[.]life|
|2022-06-09||Blockchain||Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion|
|2022-06-07||Blockchain||Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion|
|2021-12-29||Blockchain||Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace dafflash[.]com|
|2021-12-27||Blockchain||Area registration dafflash[.]com|
|2021-12-25||Blockchain||Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace filimaik[.]com|
|2021-12-13||Blockchain||Pockets 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY replace 7owe32rodnp3vnx2ekqncoegxolkmb3m2fex5zu6i2bg7ktivhwvczqd.onion|
|2021-12-12||Blockchain||Pockets 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY replace r5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad.onion|
|2021-12-10||Passive DNS||Area registration godespra[.]com filimaik[.]com|
|2021-12-09||Blockchain||Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace mydomelem.com|
|2021-12-08||Blockchain||Pockets 1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY replace nameiusr.com|
|2021-12-07||Blockchain||Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace younghil.com|
|2021-12-06||Passive DNS||Area registration mydomelem.com nameiusr.com younghil.com|
|2021-11-09||Blockchain||Pockets 1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU replace newcc[.]com|
|2021-10-19||Blockchain||Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace nisdably[.]com|
|2021-10-13||Blockchain||Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace tyturu[.]com|
|2021-10-11||Passive DNS||Area registration tyturu[.]com|
|2021-03-28||Passive DNS||Area registration nisdably[.]com|
|2020-05-13||Blockchain||Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace maxbook[.]area|
|2020-05-07||Blockchain||Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace easywbdesign[.]com|
|2020-04-08||Blockchain||Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace sndvoices[.]com|
|2020-04-02||Passive DNS||Area registration easywbdesign[.]com sndvoices[.]com|
|2020-03-15||Passive DNS||Area registration maxbook[.]area|
|2020-02-17||Blockchain||Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace anotheronedom[.]com|
|2020-02-17||Passive DNS||Area Registration anotheronedom[.]com|
|2020-02-14||Blockchain||Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace sleepingcontrol[.]com|
|2020-01-24||Blockchain||Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace robotatten[.]com|
|2020-01-23||Blockchain||Pockets 34RqywhujsHGVPNMedvGawFufFW9wWtbXC replace robotatten[.]com|
|2020-01-23||Passive DNS||Area registration sleepingcontrol[.]com robotatten[.]com|
|2019-06-19||Blockchain||Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace venoxcontrol[.]com|
|2019-06-14||Passive DNS||Area registration venoxcontrol[.]com|
The 4 Glupteba Campaigns
We have now been in a position to determine 15 Glupteba bitcoin addresses spawning over 4 years and what we imagine to be 4 completely different campaigns.
Marketing campaign 1
The oldest wave appears to have began in June 2019. Again then, just one single Bitcoin tackle was used to distribute the malicious domains. This additionally corroborates what Google came upon of their lawsuit in opposition to two Glupteba operators.
|Deal with||First seen||Final seen||Transactions||Variety of samples|
|15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6||2019-06-17 15:51||2020-05-13 13:02||16||54|
Determine 4 exhibits a graph of the tackle transactions. We will see the
OP_RETURN transactions like 3Jt2U the place the funds bounce again to the 15y7d tackle. Curiously all of the remaining $36.18 on the 15y7d tackle have been despatched to the tackle 3Jwj7 in February 2020. No exercise has been noticed at that tackle since then.
Marketing campaign 2
The second wave appears to have began in April 2020, this time two Bitcoin addresses have been used to distribute the malicious C2 domains. Curiously we didn’t discover any samples utilizing the second tackle; it may very well be a testing tackle to make sure the Glupteba variants have been behaving as anticipated. As well as, the area distributed by way of the supposedly testing tackle deepsound[.]stay has not been seen in every other transactions we have been capable of finding throughout each addresses. It is also that we merely are lacking some samples.
|Deal with||First Seen||Final seen||Transactions||Variety of samples|
|1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1||2020-04-08 18:28||2021-10-19 17:28||11||87|
|1bRfcRZVws98j3QQEZxrgRVd15vVF6zSU||2020-04-08 14:21||2020-04-08 15:49||2||0|
Right here the identical sample will be noticed on the principle tackle 1CgPC, after a interval of exercise, the remaining funds accounting for $28.45 have been transferred again to some vendor or service provider in November 2021. On the supposed check Bitcoin tackle, the funds weren’t transferred and stay to today on the account for a stability of $76.80. Determine 5 exhibits the transactions to and from each addresses.
Marketing campaign 3
The third marketing campaign begins in November 2021; the variety of bitcoin addresses used to ship malicious area doubled, from 2 in 2020 to 4 in 2021. This marketing campaign was the shortest of all, with a lifespan of solely about two months. We imagine that is seemingly resulting from Google efforts to take the botnet down, when about
1 12 months in the past Google filed a lawsuit against Glupteba two operators and several other actions have been taken to disrupt the botnet operations. That is additionally the primary time TOR hidden providers have been used as a command-and-control server by Glupteba.
|Deal with||First seen||Final seen||Transactions||Variety of samples|
|1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97||2021-10-13 15:20||2021-12-29 10:15||12||77|
|12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY||2021-12-12 21:38||2021-12-13 21:14||3||3|
|1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY||2021-12-08 15:57||2021-12-08 17:12||2||17|
|1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU||2021-11-09 12:22||2021-11-09 12:49||2||0|
Glupteba operators used 4 wallets, with essentially the most energetic one being 1CUha as proven in Determine 6. Once more, there have been no remaining funds left on the Bitcoin addresses. That is additionally the oldest tackle on this marketing campaign and the one with the very best variety of transactions. Curiously, we weren’t capable of finding a single pattern referring to the tackle 1GLjC which we imagine might have been used for testing the malware, just like 2020. The area used newcc[.]com was additionally not registered on the time and will point out it was utilized in a testing setting or we may very well be lacking some samples.
Marketing campaign 4
The newest and ongoing marketing campaign began in June 2022, 6 months after the Google lawsuit, and this time the variety of malicious bitcoin addresses significantlh elevated. We imagine this is because of a number of components. First, having extra Bitcoin addresses makes safety researcher job extra difficult. Second, to indicate that the Google lawsuit didn’t have a significant impact on their Glupteba operations. For this marketing campaign we weren’t capable of finding any samples for 3 of the addresses we gathered. We imagine these addresses will not be made for testing as they distribute some domains present in different Bitcoin addresses for which we discovered samples. As well as, there was a tenfold improve in TOR hidden service getting used as C2 servers because the 2021 marketing campaign.
|Deal with||First seen||Final seen||Transactions||Variety of samples|
|1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK||2022-06-01 14:16||2022-11-08 11:54||11||1197|
|1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB||2022-06-03 13:59||2022-10-29 11:29||4||6|
|1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6||2022-06-03 15:02||2022-10-29 11:37||4||6|
|1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR||2022-06-03 14:33||2022-10-29 11:40||5||3|
|1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr||2022-06-06 14:10||2022-10-29 12:07||6||6|
|14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs||2022-06-03 14:56||2022-10-29 12:03||8||12|
|15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP||2022-06-03 14:34||2022-10-29 11:30||6||48|
|19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3||2022-06-06 13:51||2022-10-29 11:37||4||6|
|1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh||2022-06-06 14:04||2022-10-29 11:43||4||3|
|1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG||2022-06-07 08:51||2022-10-28 10:51||4||3|
|1BqY56No1LR64AGcog4mF54UTPnjrPAPHz||2022-06-04 07:59||2022-10-29 11:41||4||3|
|1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ||2022-06-04 02:35||2022-10-29 11:42||4||3|
|1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc||2022-06-06 14:05||2022-10-29 12:10||6||3|
|1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN||2022-06-03 13:55||2022-10-29 11:28||8||3|
|1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP||2022-06-06 13:58||2022-10-29 11:33||6||0|
|1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh||2022-06-03 14:05||2022-07-04 16:07||4||0|
|1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd||2022-05-31 15:19||2022-10-29 12:04||8||0|
The transactions graphs proven in Determine 7 involving the addresses used within the 2022 marketing campaign present the upscaling of the operations since 2019. Lastly, we traced again these transactions even additional, and we imagine that a minimum of 5 completely different retailers and exchanges have been used to fund the Glupteba addresses since 2019.
On this weblog, we’ve got proven how Glupteba will be hunted by following blockchain transaction, TLS certificates registrations, and by reverse engineering samples. We additionally had a have a look at how the blockchain can be utilized to retailer arbitrary knowledge and the way risk actors leverage this within the wild. As well as, we tried to shed some gentle on the Glupteba campaigns through the years. By way of resilience, we’ve got seen how the actions Google took to disrupt the Glupteba botnet had an affect on the 2021 marketing campaign, which we imagine ended abruptly. Even with Google winning a favorable ruling just lately, we hoped it will have inflicted a extreme blow to Glupteba operations, however virtually a 12 months later we are able to say it almost certainly didn’t. Certainly, it took Glupteba about six months to construct a brand new marketing campaign from scratch and distribute it within the wild, and this time on a a lot bigger scale.
For defenders and responders, we strongly counsel blocking blockchain-related domains like blockchain.data but in addition Glupteba identified C2 domains in your setting. We additionally advocate monitoring DNS logs and maintaining the antivirus software program updated to assist stop a possible Glupteba an infection.
Indicators of Compromise
|cdneurops[.]pics||C2 area 2022|
|mastiakele[.]icu||C2 area 2022|
|mastiakele[.]xyz||C2 area 2022|
|cdneurops[.]buzz||C2 area 2022|
|cdneurops[.]store||C2 area 2022|
|zaoshanghaoz[.]internet||C2 area 2022|
|cdneurop[.]cloud||C2 area 2022|
|cdneurops[.]well being||C2 area 2022|
|mastiakele[.]cyou||C2 area 2022|
|zaoshanghaoz[.]internet||C2 area 2022|
|mastiakele[.]ae[.]org||C2 area 2022|
|zaoshang[.]ooo||C2 area 2022|
|cdntokiog[.]studio||C2 area 2022|
|zaoshang[.]moscow||C2 area 2022|
|zaoshang[.]ru||C2 area 2022|
|zaoshanghao[.]su||C2 area 2022|
|duniadekho[.]bar||C2 area 2022|
|checkpos[.]internet||C2 area 2022|
|dafflash[.]com||C2 area 2021|
|godespra[.]com||C2 area 2021|
The submit Tracking Malicious Glupteba Activity Through the Blockchain appeared first on Nozomi Networks.
*** It is a Safety Bloggers Community syndicated weblog from Nozomi Networks authored by Nozomi Networks Labs. Learn the unique submit at: https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/