{"id":126705,"date":"2023-03-07T16:08:47","date_gmt":"2023-03-07T21:08:47","guid":{"rendered":"https:\/\/rbach.net\/?p=126705"},"modified":"2024-01-13T17:07:52","modified_gmt":"2024-01-13T22:07:52","slug":"blockchain-is-enabling-malware","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/blockchain-is-enabling-malware\/","title":{"rendered":"Blockchain is Enabling Malware"},"content":{"rendered":"\r\n

\"Blockchain<\/a>Blockchain<\/strong> was going to save the world. Remember the hype? It was going to save the environment<\/a>. Blockchain was going to change<\/a> the<\/a> world<\/a>.\u00a0 In a 2018 hype piece Wired<\/em><\/a> listed \u201c187 Things the Blockchain Is Supposed to Fix<\/a>.\u201d The first item on the 2018 Wired<\/em> list of things blockchain was going to fix is \u201cBots with nefarious intent<\/strong>.\u201d\u00a0<\/p>\r\n

\"Nozomi<\/a>Well, it is 2023 and Wired’s prediction is wrong. Cybersecurity firm Nozomi<\/a> is reporting<\/a> that blockchain is being used to enable malware<\/strong>. Bleeping Computer<\/a><\/em> writes<\/a> that the security researchers found the Glupteba<\/a> malware botnet<\/a> has been resurrected. Glupteba is a blockchain-enabled malware that has been targeting Windows devices worldwide since at least 2011.<\/p>\r\n

Blockchain-enabled malware<\/h3>\r\n

The San Fransisco cybersecurity firm describes Glupteba as a blockchain-enabled, modular malware that infects Windows and IoT devices. The malware is distributed through malvertising on pay-per-install<\/a> (PPI) networks and traffic distribution systems<\/a> (TDS). It pushes the malware installer when the victim clicks on a weaponized link disguised as free software, videos, or movies. Once installed, the malware will mine for cryptocurrency<\/a>, steal user credentials, and deploy proxies on compromised systems. The proxies are later sold as ‘residential proxies<\/a>‘ to other cybercriminals.<\/p>\r\n

Bitcoin wallet<\/h3>\r\n

\"\"<\/a>Glupteba uses the Bitcoin<\/a> blockchain to evade disruption. The zombies get updated lists of command and control servers<\/a> to contact for commands to execute their malware activities from Bitcoin. The infested computers search the public Bitcoin blockchain for transactions related to wallet addresses owned by the attackers. From the Bitcoin wallet, the zombie clients can fetch an AES encrypted<\/a> address C2 server address.<\/p>\r\n

The malware uses the blockchain strategy to prevent takedowns, like the Google December 2021 disruption<\/a>. Google was able to disrupt the blockchain-enabled botnet. The botnet was disrupted by gaining court orders to seize control of the botnet’s infrastructure and filing complaints against two Russian operators.<\/p>\r\n

rb-<\/em><\/strong><\/p>\r\n

Because blockchain transactions cannot be erased (by design), it is much harder to take down C2 servers. Furthermore, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address to take over or shutdown a botnet. Ars has a deeper explanation here<\/a>.<\/em>

Please remember that the original reason for Bitcoin was that it would do away with the need for trust in people. The assumption appears to be that you can trust the technology – but not people. This malware proves that this is a faulty premise.<\/em><\/p>\r\n

 <\/p>\r\n

How you can help Ukraine!<\/a><\/strong><\/em><\/p>\r\n

Related article<\/strong><\/p>\r\n