As per a report by Forbes, security researchers have warned that the bitcoin blockchain is under an attack by a new strain of the Glupteba malware which is capable of using the bitcoin network to resist attacks itself.
Glupteba Exploits Security Vulnerability To Shield Itself from Attacks
According to TrendMicro’s latest blog which details the recently discovered but undocumented version, it described version was capable of taking over systems in order to mine Monero cryptocurrency and steal sensitive browser data like passwords and cookies.
Analysts also confirmed that this strain of the Glupteba malware also exploits a known security vulnerability in MicroTik routers to modify the target machine into a SOCKS proxy to ensure widespread spam attempts that could threaten Instagram users.
According to the report, the infection has a systematic mode of operation.
A target machine is first hit with a “malvertising attack,” which forces it to download a Glupteba “dropper.”
The dropper will flood the target with various rootkits, backdoors, and other nasties taken from GitHub. It then does the usual stuff like check for antivirus programs, add malicious firewall rules, as well as include itself in defender whitelists.
Most notable, however, is that this malware utilizes Bitcoin to automatically update, ensuring it runs smoothly even if antivirus software blocks its connection to remote command and control (C&C) servers run by the attackers.
Malware Uses Electrum Bitcoin Wallet
The malware makes use of the Electrum bitcoin wallet to make, particularly send bitcoin transactions in order for the attackers to gain access to systems.
“This technique makes it more convenient for the threat actor to replace command and control servers,” Trend Micro researchers wrote. A command and control server is the centralized computer that issues commands to an infected network of devices.
“If they lose control of a command and control server for any reason, they simply need to add a new bitcoin script and the infected machines obtain a new command and control server by decrypting the script data and reconnecting.”