A group of researchers from SophosLabs state that hackers operating the cryptojacking malware, Glupteba, have been using the Bitcoin blockchain network to communicate in secret.
According to the report published on June 24, cybercriminals rely on a command and control center where they send encrypted secret messages that require a 256-bit AES decryption key.
Encrypted messages used to update malware
The purpose of the communication channel is for hackers to receive updated configuration information for the malware. This data is used by attackers to obtain precise instructions and thus update the malicious software.
Glupteba is what’s known as a zombie or software robot that can be controlled remotely. It has various functions such as a rootkit, security suppressor, virus, router attack tool, browser stealer, and as a cryptojacking tool.
A sample of the encrypted message - Source: SophosLabs
SophosLabs explains in detail about the curious feature:
“Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks. Bitcoin’ transactions’ don’t actually have to be about money - they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.”
Future malware-delivery-as-a-service provider?
However, the cybersecurity firm warns that the malware could take advantage of this feature as an added value to commercialize it.
Andrew Brandt, a principal researcher at SophosLabs, told ZDNet:
“I’d say the Glupteba attackers are angling to market themselves as a malware-delivery-as-a-service provider to other malware makers who value longevity and stealth over the noisy quick endgame of, for instance, a ransomware payload.”
But this is not the first case in which the blockchain network is used to send messages in the crypto sphere. On May 25, a message signed by 145 wallets containing Bitcoin (BTC) from a number of early blocks called Craig Wright a “liar and a fraud.”