Just like the softwares that we use to keep getting better and upgraded, similarly, the viruses also find new ways to infect your computers and online world to cause problems for the users.
Recently, it was found that Glupteba dropper and a backdoor trojan is capable of commanding and controlling domains by tracking Bitcoin transactions. Along with this, Glupteba dropper adds two more components to the victim’s systems- browser stealer and router exploit.
The browser stealer then gets access to the browsing history of the user along with cookies, account names and passwords from the browsers such as Chrome, Opera, and Yandex. While all this is happening, router exploit takes advantage of the MikroTik RouterOS vulnerability, which allows the attackers to write arbitrary files. The router exploit helps the attackers to configure the router as SOCKS proxy which routes the malicious traffic through to hide the correct IP address of the attackers.
Glupteba’s C&C updating functionality is particularly noteworthy. The malware uses the discoverDomain function which aims at the Electrum bitcoin wallet servers using a publicly available list. It then tries to access the history of the blockchains hash script with a hardcoded hash. This reveals all the history of the related transactions.
This particular version of Glupteba was delivered via a malvertising campaign targeting file-sharing websites. In case the malware loses control of a C&C server for some reason, they add a new Bitcoin script and the infected machine will get a new server which is formed by decrypting the script data and reconnecting.