Blockchain was going to save the world. Remember the hype? It was going to save the environment. Blockchain was going to change the world. In a 2018 hype piece Wired listed “187 Things the Blockchain Is Supposed to Fix.” The first item on the 2018 Wired list of things blockchain was going to fix is “Bots with nefarious intent.”
Well, it is 2023 and Wired’s prediction is wrong. Cybersecurity firm Nozomi is reporting that blockchain is being used to enable malware. Bleeping Computer writes that the security researchers found the Glupteba malware botnet has been resurrected. Glupteba is a blockchain-enabled malware that has been targeting Windows devices worldwide since at least 2011.
Blockchain-enabled malware
The San Fransisco cybersecurity firm describes Glupteba as a blockchain-enabled, modular malware that infects Windows and IoT devices. The malware is distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS). It pushes the malware installer when the victim clicks on a weaponized link disguised as free software, videos, or movies. Once installed, the malware will mine for cryptocurrency, steal user credentials, and deploy proxies on compromised systems. The proxies are later sold as ‘residential proxies‘ to other cybercriminals.
Bitcoin wallet
Glupteba uses the Bitcoin blockchain to evade disruption. The zombies get updated lists of command and control servers to contact for commands to execute their malware activities from Bitcoin. The infested computers search the public Bitcoin blockchain for transactions related to wallet addresses owned by the attackers. From the Bitcoin wallet, the zombie clients can fetch an AES encrypted address C2 server address.
The malware uses the blockchain strategy to prevent takedowns, like the Google December 2021 disruption. Google was able to disrupt the blockchain-enabled botnet. The botnet was disrupted by gaining court orders to seize control of the botnet’s infrastructure and filing complaints against two Russian operators.
rb-
Because blockchain transactions cannot be erased (by design), it is much harder to take down C2 servers. Furthermore, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address to take over or shutdown a botnet. Ars has a deeper explanation here.
Please remember that the original reason for Bitcoin was that it would do away with the need for trust in people. The assumption appears to be that you can trust the technology – but not people. This malware proves that this is a faulty premise.
Related article
- Ransom refusals hit attackers where it hurts: 40% revenue drop in 2022 — Chainalysis (Coin Telegraph)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.