[ad_1]
Risk actors are more and more leveraging blockchain know-how to launch cyberattacks. By making the most of the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for a wide range of assaults, starting from malware propagation to ransomware distribution.
The Glupteba trojan is an instance of a risk actor leveraging blockchain-based applied sciences to hold out their malicious exercise. On this weblog, Nozomi Networks Lab presents our newest findings on Glupteba and the way safety groups can seek for malicious exercise within the blockchain.
What’s Glupteba?
Glupteba is a backdoor trojan that’s downloaded through Pay-Per-Set up networks – on-line advert campaigns that immediate software program or software downloads – in contaminated installers or software program cracks. As soon as Glupteba is lively on a system, the botnet operators can deploy extra modules from the credential stealer to use kits compromising units on the goal community. There are a number of Glupteba modules geared toward exploiting vulnerabilities in varied Web of Issues (IoT) home equipment from distributors, equivalent to MikroTik and Netgear.
Surprisingly, Glupteba leverages the Bitcoin blockchain to distribute its Command and Management (C2) domains to contaminated methods. Aside from the truth that that is an unusual approach, this mechanism can also be extraordinarily resilient to takedowns as there isn’t any strategy to erase nor censor a validated Bitcoin transaction. Utilizing the identical strategy that Glupteba is utilizing to cover information inside the blockchain, researchers can hunt for malicious transactions and get well their payloads. If the mentioned domains aren’t saved in plaintext, reversing the Glupteba samples allows safety researchers to decrypt the payload and entry the embedded domains.
Utilizing the Blockchain to Retailer Information
The Bitcoin blockchain can be utilized to retailer arbitrary information. That is made potential by the OP_RETURN
opcode that permits storage of as much as 80 bytes of arbitrary information inside the signature script. This storage mechanism has a number of benefits. First, it’s resilient to takedowns. As soon as a transaction has been validated, there isn’t any strategy to erase it – that is the character of the blockchain. Utilizing this mechanism to distribute C2 area implies that legislation enforcement officers, community defenders, and incident responders haven’t any strategy to take down the Bitcoin handle and erase the transaction. The way in which the Bitcoin blockchain is constructed on high of contemporary cryptography additionally makes this mechanism safe; with out the Bitcoin handle non-public key, one can not ship a transaction with such a knowledge payload originating from the malicious handle, therefore, taking up the botnet is just not potential. Moreover, risk actors can encrypt their payload from peering eyes, making the info storage scheme strong and price efficient.
This system has additionally been utilized by the Cerber ransomware previously. Bitcoin transactions originating from particular addresses had been monitored and the primary 6 characters of a vacation spot handle had been used together with a .high
TLD appended to> generate a website, which might be used to question the lively C2 infrastructure.
Glupteba is thought to be utilizing an identical mechanism counting on OP_RETURN
as a substitute of vacation spot addresses to distribute its C2 domains. In case of a C2 area being taken down, the botnet operators solely have to ship a brand new transaction from the Bitcoin handle distributing the domains and voila, the malware will modify its configuration the subsequent time the C2 is refreshed. The latest identified Glupteba bitcoin transaction dates to the eighth of November 2022 with its embedded payload 000c0b0006171c11064d150a0b16
.
The hexadecimal payload above doesn’t appear to signify something near a website title and that’s as a result of Glupteba makes use of, in its newest variant, a XOR encryption scheme to guard the info. As soon as the secret’s identified, usually by reverse engineering a pattern equivalent to c6d4ce67dd25764f571a84caa19fa6c2b067cae6, decrypting the info turns into easy; see a pattern of this decryption in Github.
The Evolution of Glupteba
Glupteba is thought to make use of the Bitcoin blockchain to distribute its C2 servers since at least 2019. To retrieve the Bitcoin transactions, a number of suppliers are used, normally blockchain.com and blockstream.information. The Glupteba perform accountable for querying blockchain.com to retrieve the transaction information is proven in Determine 1.
The way in which the domains are protected inside the transactions has barely advanced over time. In 2019, Glupteba used AES-GCM to guard and embed the info within the bitcoin transactions. Every pattern was shipped with a hardcoded key and initialization vector enabling the pattern to decrypt the payload from the Bitcoin transaction. Determine 2 reveals the decryption routine within the oldest Glupteba variations..
In newer variations of the malware, this scheme was switched to a easy XOR cipher, which is at the moment getting used. All samples we discovered had been utilizing the identical key: “cheesesauce”. Determine 3 reveals this key being moved round in reminiscence within the perform accountable to decrypt the ciphertext.
Timeline of Occasions
Given all that info, we went on a blockchain harvesting tour, scanning the complete Bitcoin blockchain for hidden C2 domains. We tried to decrypt the info payload of the OP_RETURN
script current in every transaction of each block utilizing all of the algorithms and keys we all know to be related to Glupteba. As well as, we downloaded over 1500 Glupteba samples from VirusTotal and regarded on the pockets addresses they used to verify we didn’t miss something. However that’s not all: the most recent set of TLS certificates Glupteba makes use of additionally reveals a precise pattern within the Topic Various Names and, because of certificates transparency, this may be hunted for. Lastly, we additionally took a detailed take a look at the passive DNS information at our disposal to search out potential related domains and hosts.
This analysis gave us an enormous collection of occasions we determined to summarize with the timeline under, exhibiting when actions had been taken by Glupteba operators.
Date | Supply | Description |
---|---|---|
2022-11-22 | Passive DNS | Area registration limeprime[.]org |
2022-11-21 | Passive DNS | Area registration greenphoenix[.]xyz |
2022-11-08 | Blockchain | Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace cdneurops[.]pics |
2022-10-29 | Blockchain |
|
2022-10-28 | Certificates Transparency | Let’s encrypt certificates registration |
2022-10-28 | Blockchain | Pockets 1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG replace duniadekho[.]bar |
2022-10-27 | Passive DNS | Area registration cdneurops[.]pics mastiakele[.]icu mastiakele[.]xyz cdneurops[.]buzz cdneurops[.]store zaoshanghaoz[.]web cdneurop[.]cloud cdneurops[.]well being mastiakele[.]cyou mastiakele[.]ae[.]org zaoshang[.]ooo cdntokiog[.]studio zaoshang[.]moscow окрф[.]рф zaoshang[.]ru zaoshanghao[.]su duniadekho[.]bar |
2022-10-26 | Blockchain | Pockets 1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK replace checkpos[.]web |
2022-10-25 | Passive DNS | Area registration checkpos[.]web |
2022-10-01 | Passive DNS | Area registration revouninstaller[.]properties |
2022-09-30 | Blockchain | Pockets 1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN replace tmetres[.]com |
2022-09-28 | Passive DNS | Area registration tmetres[.]com |
2022-08-12 | Blockchain |
|
2022-08-12 | Passive DNS | Area registration getyourgift[.]life |
2022-07-04 | Blockchain |
|
2022-06-09 | Blockchain | Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion |
2022-06-07 | Blockchain | Pockets 1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd replace x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion |
2022-06-06 | Blockchain |
|
2022-06-03 | Blockchain |
|
2022-06-01 | Blockchain |
|
2021-12-29 | Blockchain | Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace dafflash[.]com |
2021-12-27 | Blockchain | Area registration dafflash[.]com |
2021-12-25 | Blockchain | Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace filimaik[.]com |
2021-12-13 | Blockchain | Pockets 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY replace 7owe32rodnp3vnx2ekqncoegxolkmb3m2fex5zu6i2bg7ktivhwvczqd.onion |
2021-12-12 | Blockchain | Pockets 12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY replace r5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad.onion |
2021-12-10 | Passive DNS | Area registration godespra[.]com filimaik[.]com |
2021-12-09 | Blockchain | Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace mydomelem.com |
2021-12-08 | Blockchain | Pockets 1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY replace nameiusr.com |
2021-12-07 | Blockchain | Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace younghil.com |
2021-12-06 | Passive DNS | Area registration mydomelem.com nameiusr.com younghil.com |
2021-11-09 | Blockchain | Pockets 1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU replace newcc[.]com |
2021-10-19 | Blockchain | Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace nisdably[.]com |
2021-10-13 | Blockchain | Pockets 1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 replace tyturu[.]com |
2021-10-11 | Passive DNS | Area registration tyturu[.]com |
2021-03-28 | Passive DNS | Area registration nisdably[.]com |
2020-05-13 | Blockchain | Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace maxbook[.]house |
2020-05-07 | Blockchain | Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace easywbdesign[.]com |
2020-04-08 | Blockchain | Pockets 1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 replace sndvoices[.]com |
2020-04-02 | Passive DNS | Area registration easywbdesign[.]com sndvoices[.]com |
2020-03-28 | Blockchain |
|
2020-03-15 | Passive DNS | Area registration maxbook[.]house |
2020-02-17 | Blockchain | Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace anotheronedom[.]com |
2020-02-17 | Passive DNS | Area Registration anotheronedom[.]com |
2020-02-14 | Blockchain | Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace sleepingcontrol[.]com |
2020-01-24 | Blockchain | Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace robotatten[.]com |
2020-01-23 | Blockchain | Pockets 34RqywhujsHGVPNMedvGawFufFW9wWtbXC replace robotatten[.]com |
2020-01-23 | Passive DNS | Area registration sleepingcontrol[.]com robotatten[.]com |
2019-06-19 | Blockchain | Pockets 15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 replace venoxcontrol[.]com |
2019-06-14 | Passive DNS | Area registration venoxcontrol[.]com |
The 4 Glupteba Campaigns
Now we have been capable of determine 15 Glupteba bitcoin addresses spawning over 4 years and what we consider to be 4 totally different campaigns.
Marketing campaign 1
The oldest wave appears to have began in June 2019. Again then, just one single Bitcoin handle was used to distribute the malicious domains. This additionally corroborates what Google came upon of their lawsuit towards two Glupteba operators.
Tackle | First seen | Final seen | Transactions | Variety of samples |
---|---|---|---|---|
15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6 | 2019-06-17 15:51 | 2020-05-13 13:02 | 16 | 54 |
Determine 4 reveals a graph of the handle transactions. We will see the OP_RETURN
transactions like 3Jt2U the place the funds bounce again to the 15y7d handle. Apparently all of the remaining $36.18 on the 15y7d handle had been despatched to the handle 3Jwj7 in February 2020. No exercise has been noticed at that handle since then.
Marketing campaign 2
The second wave appears to have began in April 2020, this time two Bitcoin addresses had been used to distribute the malicious C2 domains. Apparently we didn’t discover any samples utilizing the second handle; it might be a testing handle to make sure the Glupteba variants had been behaving as anticipated. As well as, the area distributed through the supposedly testing handle deepsound[.]reside has not been seen in another transactions we had been capable of finding throughout each addresses. It may be that we merely are lacking some samples.
Tackle | First Seen | Final seen | Transactions | Variety of samples |
---|---|---|---|---|
1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1 | 2020-04-08 18:28 | 2021-10-19 17:28 | 11 | 87 |
1bRfcRZVws98j3QQEZxrgRVd15vVF6zSU | 2020-04-08 14:21 | 2020-04-08 15:49 | 2 | 0 |
Right here the identical sample will be noticed on the primary handle 1CgPC, after a interval of exercise, the remaining funds accounting for $28.45 had been transferred again to some vendor or service provider in November 2021. On the supposed take a look at Bitcoin handle, the funds weren’t transferred and stay to this present day on the account for a steadiness of $76.80. Determine 5 reveals the transactions to and from each addresses.
Marketing campaign 3
The third marketing campaign begins in November 2021; the variety of bitcoin addresses used to ship malicious area doubled, from 2 in 2020 to 4 in 2021. This marketing campaign was the shortest of all, with a lifespan of solely about two months. We consider that is possible as a result of Google efforts to take the botnet down, when about 1 12 months in the past Google filed a lawsuit against Glupteba two operators and several other actions had been taken to disrupt the botnet operations. That is additionally the primary time TOR hidden providers had been used as a command-and-control server by Glupteba.
Tackle | First seen | Final seen | Transactions | Variety of samples |
---|---|---|---|---|
1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97 | 2021-10-13 15:20 | 2021-12-29 10:15 | 12 | 77 |
12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY | 2021-12-12 21:38 | 2021-12-13 21:14 | 3 | 3 |
1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY | 2021-12-08 15:57 | 2021-12-08 17:12 | 2 | 17 |
1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU | 2021-11-09 12:22 | 2021-11-09 12:49 | 2 | 0 |
Glupteba operators used 4 wallets, with essentially the most lively one being 1CUha as proven in Determine 6. Once more, there have been no remaining funds left on the Bitcoin addresses. That is additionally the oldest handle on this marketing campaign and the one with the very best variety of transactions. Apparently, we weren’t capable of finding a single pattern referring to the handle 1GLjC which we consider might have been used for testing the malware, much like 2020. The area used newcc[.]com was additionally not registered on the time and will point out it was utilized in a testing surroundings or we might be lacking some samples.
Marketing campaign 4
The newest and ongoing marketing campaign began in June 2022, 6 months after the Google lawsuit, and this time the variety of malicious bitcoin addresses significantlh elevated. We consider this is because of a number of components. First, having extra Bitcoin addresses makes safety researcher job extra sophisticated. Second, to indicate that the Google lawsuit didn’t have a serious impact on their Glupteba operations. For this marketing campaign we weren’t capable of finding any samples for 3 of the addresses we gathered. We consider these addresses aren’t made for testing as they distribute some domains present in different Bitcoin addresses for which we discovered samples. As well as, there was a tenfold improve in TOR hidden service getting used as C2 servers for the reason that 2021 marketing campaign.
Tackle | First seen | Final seen | Transactions | Variety of samples |
---|---|---|---|---|
1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK | 2022-06-01 14:16 | 2022-11-08 11:54 | 11 | 1197 |
1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB | 2022-06-03 13:59 | 2022-10-29 11:29 | 4 | 6 |
1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6 | 2022-06-03 15:02 | 2022-10-29 11:37 | 4 | 6 |
1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR | 2022-06-03 14:33 | 2022-10-29 11:40 | 5 | 3 |
1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr | 2022-06-06 14:10 | 2022-10-29 12:07 | 6 | 6 |
14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs | 2022-06-03 14:56 | 2022-10-29 12:03 | 8 | 12 |
15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP | 2022-06-03 14:34 | 2022-10-29 11:30 | 6 | 48 |
19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3 | 2022-06-06 13:51 | 2022-10-29 11:37 | 4 | 6 |
1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh | 2022-06-06 14:04 | 2022-10-29 11:43 | 4 | 3 |
1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG | 2022-06-07 08:51 | 2022-10-28 10:51 | 4 | 3 |
1BqY56No1LR64AGcog4mF54UTPnjrPAPHz | 2022-06-04 07:59 | 2022-10-29 11:41 | 4 | 3 |
1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ | 2022-06-04 02:35 | 2022-10-29 11:42 | 4 | 3 |
1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc | 2022-06-06 14:05 | 2022-10-29 12:10 | 6 | 3 |
1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN | 2022-06-03 13:55 | 2022-10-29 11:28 | 8 | 3 |
1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP | 2022-06-06 13:58 | 2022-10-29 11:33 | 6 | 0 |
1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh | 2022-06-03 14:05 | 2022-07-04 16:07 | 4 | 0 |
1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd | 2022-05-31 15:19 | 2022-10-29 12:04 | 8 | 0 |
The transactions graphs proven in Determine 7 involving the addresses used within the 2022 marketing campaign present the upscaling of the operations since 2019. Lastly, we traced again these transactions even additional, and we consider that no less than 5 totally different retailers and exchanges had been used to fund the Glupteba addresses since 2019.
Conclusion
On this weblog, we’ve got proven how Glupteba will be hunted by following blockchain transaction, TLS certificates registrations, and by reverse engineering samples. We additionally had a take a look at how the blockchain can be utilized to retailer arbitrary information and the way risk actors leverage this within the wild. As well as, we tried to shed some mild on the Glupteba campaigns through the years. By way of resilience, we’ve got seen how the actions Google took to disrupt the Glupteba botnet had an influence on the 2021 marketing campaign, which we consider ended abruptly. Even with Google winning a favorable ruling just lately, we hoped it might have inflicted a extreme blow to Glupteba operations, however nearly a 12 months later we are able to say it probably didn’t. Certainly, it took Glupteba about six months to construct a brand new marketing campaign from scratch and distribute it within the wild, and this time on a a lot bigger scale.
For defenders and responders, we strongly counsel blocking blockchain-related domains like blockchain.information but in addition Glupteba identified C2 domains in your surroundings. We additionally advocate monitoring DNS logs and conserving the antivirus software program updated to assist stop a possible Glupteba an infection.
Indicators of Compromise
IOC | Description |
---|---|
cdneurops[.]pics | C2 area 2022 |
mastiakele[.]icu | C2 area 2022 |
mastiakele[.]xyz | C2 area 2022 |
cdneurops[.]buzz | C2 area 2022 |
cdneurops[.]store | C2 area 2022 |
zaoshanghaoz[.]web | C2 area 2022 |
cdneurop[.]cloud | C2 area 2022 |
cdneurops[.]well being | C2 area 2022 |
mastiakele[.]cyou | C2 area 2022 |
zaoshanghaoz[.]web | C2 area 2022 |
mastiakele[.]ae[.]org | C2 area 2022 |
zaoshang[.]ooo | C2 area 2022 |
cdntokiog[.]studio | C2 area 2022 |
zaoshang[.]moscow | C2 area 2022 |
zaoshang[.]ru | C2 area 2022 |
zaoshanghao[.]su | C2 area 2022 |
duniadekho[.]bar | C2 area 2022 |
checkpos[.]web | C2 area 2022 |
dafflash[.]com | C2 area 2021 |
godespra[.]com | C2 area 2021 |
The put up Tracking Malicious Glupteba Activity Through the Blockchain appeared first on Nozomi Networks.
*** This can be a Safety Bloggers Community syndicated weblog from Nozomi Networks authored by Nozomi Networks Labs. Learn the unique put up at: https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/
[ad_2]
Source link