Glupteba – the malware that gets secret messages from the Bitcoin blockchain – Naked Security

Here’s a SophosLabs technical paper that should tick all your jargon boxes!

Our experts have deconstructed a strain of malware called Glupteba that uses just about every cybercrime trick you’ve heard of, and probably several more besides.

Like a lot of malware these days. Glupteba is what’s known a zombie or bot (short for software robot) that can be controlled from afar by the crooks who wrote it.

But it’s more than just a remote control tool for criminals, because Glupteba also includes a range of components that let it serve as all of the following:

  • A rootkit. Glupteba includes a variety of Windows kernel drivers that can hide the existence of specific files and processes. Kernel rootkits are unusual these days because they’re complex to write and often draw unnecessary attention to themselves. However, if loaded successfully, rootkits can help cybersecurity threats lie low by keeping malware files off the radar of security tools and stopping them from showing up in security logs.
  • A security suppresor. Glupteba has a module that does its best to turn Windows Defender off, and then regularly checks to make sure it hasn’t turned itself back on. It also looks for a laundry list of other security tools, including anti-virus software and system monitoring programs, killing them off so they can no longer search for and report anomalies.
  • A virus. Glupteba uses two different variants of the ETERNALBLUE exploit to distribute itself automatically across your own network, and anyone else’s it can find by reaching out from your computer. That makes it an old-school, self-spreading computer virus (or more specifically a worm) rather than just a standalone piece of malware.
  • A router attack tool. Glupteba bundles in various exploits against popular home and small business routers, using your computer as a jumping off point to attack other people. It uses one of these attacks to open up unpatched routers to act as network proxies that the crooks can use as “jumping off” points for future attacks. This leaves the unfortunate victim looking like an attacker themselves and showing up as an apparent source of cybercriminal activity.
  • A browser stealer. Glupteba goes after local data files from four different browsers – Chrome, Firefox, Yandex and Opera – and uploads them to the crooks. Browser files often contain sensitive information such as URL history, authentication cookies, login details and even passwords that can’t be accessed by code such as JavaScript running inside the browser. So crooks love to attack your browser from outside, where the browser isn’t in control.
  • A cryptojacker. Along with everything else it does, Glupteba can act as a secretive management tool for two different cryptomining tools. Cryptominers are legal if you use them with the explicit permission of the person paying the electricity bills to run the computers you’re using (and cryptomining can consume a lot of power). Here, the crooks get you to pay their power bills and take the cryptocoins for themselves.