Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.
These proxies are later sold as 'residential proxies' to other cybercriminals.
The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies.
Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.
The botnet's clients retrieve the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to find an AES encrypted address.
This strategy has been employed by Glupteba for
several years now, offering resilience against takedowns.
That's because blockchain transactions cannot be erased, so C2 address takedown efforts have a limited impact on the botnet.
Moreover, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address, so sudden botnet takeovers or global deactivations like the one that
impacted Emotet in early 2021 are impossible.
The only downside is that the Bitcoin blockchain is public, so anyone can access it and scrutinize transactions to gather information.
