Crafty malware uses BTC blockchain to stay up to date

Getting your Trinity Audio player ready...

A very troublesome piece of malware has anti-virus experts sitting up to take notice. Glupteba, which isn’t a new nasty piece of malware but is perhaps a nasty one, has recently been discovered to work with the SegWitCoin (BTC) blockchain to be extra resilient against possible defenses.

Trend Micro, the antivirus software supplier, recently published their recent finding regarding the Glupteba virus. First discovered in December 2018, the malware is distributed through malvertising, or in other words, advertising that was designed to spread viruses through script. Once it’s on a device, it installs everything it needs to quietly take control of the machine and avoid anti-virus software or firewalls.

The intent of the software is to ultimately connect to malicious remote command and control (C&C) servers, which then allow the attacker to take control of the device and use it in any way they wish. So how does the BTC blockchain come into this equation?

The hackers, realizing that any given C&C server might get shut down, did not code Glupteba to simply point to a handful of servers, making it potentially obsolete once they were all shut down. Instead, they programmed Glupteba to query BTC OP_Return codes.

This allows the hackers to reprogram Glupteba by sending BTC transactions. If a C&C server gets shut down by anti-virus experts or authorities, they can simply send a BTC transaction with a new C&C server coded into the OP_RETURN field. The malware then sees the code on the blockchain and reconnects to the malicious servers.

While Trend Micro doesn’t comment on why BTC is selected as their blockchain of choice, it could simply be because of the amount of traffic on that blockchain. Miners are swamped with transactions that the network already fails to handle, due to its inability to scale, and they are confirming those transactions as quickly as they can to keep up with demand, without an eye to detail.

Trend Micro recommends that if you wish to avoid becoming infected with this virus, the two best bets are to maintain an updated anti-virus suite, and to ensure your home or office router is updated and secure.