Glupteba – the malware that gets secret messages from the Bitcoin blockchain

Here’s a SophosLabs technical paper that should tick all your jargon boxes!

Our experts have deconstructed a strain of malware called Glupteba that uses just about every cybercrime trick you’ve heard of, and probably several more besides.

Like a lot of malware these days. Glupteba is what’s known a zombie or bot (short for software robot) that can be controlled from afar by the crooks who wrote it.

But it’s more than just a remote control tool for criminals, because Glupteba also includes a range of components that let it serve as all of the following:

There’s more – much more

But that’s not all.

The most interesting feature that we learned about in the report (and we think you’ll be fascinated too) is how Glupteba uses the Bitcoin blockchain as a communication channel for receiving updated configuration information.

As you probably know, zombies or bots aren’t much use to the crooks if they can’t call home to get their next wave of instructions.

Glupteba has a long list of built-in malicious commands that the crooks can trigger, including the self-explanatory update-data and upload-file commands that are detailed in the report. But it also includes, as with most bots, generic commands to download and run new malware, meaning that even if you know everything about Glupteba itself, you can’t predict what it might morph into next because the crooks can update the running malware at will.

The current command-and-control servers used by the crooks, known as C2 servers or C&Cs, might get found out and blocked or killed off at any moment, so zombie malware often includes a method for using an otherwise innocent source of data for updates.

After all, to tell a bot to switch from one C&C server to another, you typically don’t need to send out much more than new domain name or IP number, and there are lots of public messaging systems that make it easy to share short snippets of data like that.

For example, bots have used services such as Twitter, Reddit, Pastebin and other public websites as temporary storage for secret messages, in the same way that spies from the Cold War era might have communicated using the “Personals” section in a print newspaper.

Bring on the blockchain

Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks.

Bitcoin “transactions” don’t actually have to be about money – they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.

Let’s start with a list of all the Bitcoin transaction hashes (lightly redacted) associated with one of the Bitcoin wallets used as a covert source of messages by Glupteba.

The wallet ID shown here was extracted from the malware by SophosLabs.

The command line program bx below is a popular and useful Bitcoin blockchain explorer tool:

$ bx fetch-history 15y7......qNHXRtu5wzBpXdY5mT4RZNC6 | awk '$1 == "hash" { print $2 }'

If we fetch the details of each of these transactions, we can see which ones include OP_RETURN data.

Here’s a transaction dump for one that does, truncated to save space:

$ bx fetch-tx 55e8fe62bcc41ec465c3f1f28........f5d82443a15a30d88fefc3f55ad2f29
    hash 98987c05277c97b06......1ce207e74334c203075ec27b44b3cc458bf
[ . . . . . . . . . ]    
            script "return [18fe788a52d7aa57808d801d0f8f7cd39e1a......9f986b877befce0c2f558f0c1a9844833ac702cb3eba6e]"
[ . . . . . . . . . ]            
            value 0
[ . . . . . . . . . ]  

The bytes in the OP_RETURN data shown above are the secret message.

To decrypt it, you need a 256-bit AES decryption key that’s coded into the the Glupteba malware program (you can find the keys in the SophosLabs paper), and you need to know that the data returned in the blockchain consists of:

First 12 bytes   = AES-256-GCM initialisation vector
Last 16 bytes    = AES-256-GCM authentication tag
Bytes in between = Encrypted message (bytes from 0f8f7cd3... to ...877befce)

Decrypt the data from the blockcode to reverse the AES-256-GCM encryption, and you’ll reveal the hidden message.

This sort of “hiding in plain sight” is often referred to as steganography.

Here’s some pseudocode to give you the idea:

   > cipher = newcipher('AES-256-GCM')
   > cipher.key = d8727a0e...d66503cf               // extracted by SophosLabs
   > cipher.iv  = 18fe788a52d7aa57808d801d          // GCM mode needs an IV
   > cipher.tag = 0c2f558f0c1a9844833ac702cb3eba6e  // GCM mode needs a message hash
   > plain = cipher:decrypt(0f8f7cd39e1a......9f986b877befce)
   > print('secret message is: ',plain)

   secret message is:               // see report for full IoC list
                                                    // this is a new C&C server to move to

And that’s how Glupteba hides its command-and-control server names in plain sight!

How bad is it?

The bad news about Glupteba is that its many self-protection components mean that it has many tricks available to stop itself showing up in your security logs.

The good news is that this complexity makes the malware less reliable, and ironically more prone to triggering security alarms at some point.

Indeed, some of the low-level programming tricks it uses, including the kernel-level rootkits, not only don’t work on recent versions of Windows, but also often draw attention to themselves by the way they misbehave, up to and including crashing your computer with a giveaway blue screen of death.

Also, Glupteba relies on numerous exploits that were patched many months or years ago – including the attacks it uses against routers – so a patched system is much less likely to get infected in the first place.

Lastly, the main delivery mechanism we’re aware of so far that brings infections of Glupteba into a network (assuming you are patched against ETERNALBLUE and can’t get infected by its viral component), seems to be via “software cracks” on well-known piracy sites.

Like this one:

This crack didn’t lead to Adobe Illustrator.
It led to a Glupteba infection.

What to do?


If you enjoyed this article, why not watch one of our Naked Security Live videos in which we discuss the weird and wonderful world of steganography?

You can watch directly on YouTube if the video won’t play here.

The articles referenced in the video are: