The Gluepta Malware Can Now Manipulate the Bitcoin Blockchain

Cybersecurity experts have issued a warning over Gluepta, a nefarious malware that seems to be exploiting the strength of the Bitcoin blockchain to keep itself functional. 

A blog post published on September 4 revealed that researchers at Internet security firm TrendMicro discovered the cross between the malware and the Bitcoin blockchain recently. The post added that it could now invade host computers and mine privacy-focused crypto-asset Monero, while also stealing sensitive browser information such as cookies, passwords, and more. 

In addition to its propensity to mine Monero, TrendMicro researchers added that this version of the malware also takes advantage of an established security vulnerability in MicroTik routers, thus using the host computer as a proxy to initiate a string of spam attacks targeted at Instagram users. 

As for how the attack usually works, researchers explained that the host computer is hit with a “malvertising attack;” essentially, a false advertising program that ends with malware being downloaded unintentionally by the user). The target computer downloads a Gluepta “dropper,” which goes on to infect it with several backdoors, rootkits, and malware from GitHub. 

Once fully installed, the Gluepta dropper also searches the target computer to search for antivirus software, include itself in security whitelists, and add several other firewall rules as well. 

However, one of the most notable aspects of its operation is that it makes use of Bitcoin to update itself automatically. Thus, the use of Bitcoin ensures that the malware continues to run, even if an antivirus software detects it and blocks its connection to remote command and control (C&C) servers being operated by the attackers.

Researchers explained that the Gluepta attackers would send Bitcoin transactions through the Electrum Bitcoin wallets. The malware has already been configured with a ScriptHash string, so it can get to a public list of Electrum servers to find the transactions made by the attacker. In one of those servers is an OP_RETURN data, which already contains an encrypted C&C domain. The data is decrypted, and the malware continues running.  

TrendMicro added, “This technique makes it more convenient for the threat actor to replace C&C servers. If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting.”

The security firm recommends that readers don’t click on any suspicious Email links, as well as to ensure that their router firmware is updated.

The discovery of this malware is especially interesting, most of all for its mode of operation. An ability to run without connection to servers represents a significant evolution of cyber threats, marking a significant improvement over the ability to simply evade detection. 

However, it could eventually serve as an additional indictment of cryptocurrencies. The belief that crypto-assets only enable cybercrime is still very rampant, and with this discovery fueling that fire, it would most likely dissuade more people who might have wanted to buy cryptocurrency. 

For now, however, everyone is advised to be safe while on the Internet.