Glupteba Malware Infecting Devices Worldwide

One of the top ten malware variants of 2021 is the trojan horse malware known as Glupteba. The Glupteba malware can be used to infect a system, deliver additional malware, collect user authentication data, and add the compromised system to a crypto-mining botnet after infection.

Nozomi Networks Lab discusses its most recent research on Glupteba and how security teams might look for criminal activities in blockchains.

The Working of Glupteba Malware

A backdoor trojan called Glupteba is downloaded using Pay-Per-Install networks, which are online marketing campaigns that encourage the download of software or applications, infected installers, or software cracks.

The botnet operators can use additional modules from the credential stealer to exploit kits that compromise devices on the target network after Glupteba is operational on a machine.


Further, there are multiple Glupteba modules designed to take advantage of flaws in different Internet of Things (IoT) devices from vendors like MikroTik and Netgear.

Glupteba also leverages the Bitcoin blockchain to distribute its Command and Control (C2) domains to infected systems.

The Bitcoin blockchain can be used to store arbitrary data. The botnet’s clients use a discover function to obtain the C2 server address that enumerates Bitcoin wallet servers, retrieving their transactions, and parsing them to identify an AES-encrypted address.

Discover function used for retrieving C2 domains
Discover the function used for retrieving C2 domains

Since it offers resistance to takedowns, Glupteba has been using this tactic for a while. Researchers mention that while blockchain transactions cannot be reversed, efforts to take down C2 addresses have little effect on the botnet.

“The way the Bitcoin blockchain is built on top of modern cryptography also makes this mechanism secure; without the Bitcoin address private key, one cannot send a transaction with such a data payload originating from the malicious address, hence, taking over the botnet is not possible”, say researchers.

The main drawback is that anyone may access the public Bitcoin blockchain and examine transactions to obtain data.

Nozomi looked through the most recent set of TLS certificates used by the malware to learn more about its infrastructure while searching for Glupteba domains and hosts using passive DNS records.

According to the Nozomi study, 15 Bitcoin addresses were used in four Glupteba campaigns, the most recent of which began in June 2022, six months after Google’s disruption, and the campaign is still going on.

Blockchain transaction diagrams:

Blockchain transaction diagrams. Latest campaign infrastructure on left, and 2019 to 2021 campaigns on right
From left to right, 2022 (most complex), 2021, 2020, and 2019 campaigns


Researchers strongly advise blocking Glupteba-recognised C2 domains as well as blockchain[.]info and other related domains in your environment. To assist guard against a potential Glupteba infection, it is advisable keeping an eye on DNS logs and update antivirus software.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

Source link