Just like the software we use for improvements and updates, viruses similarly find new ways to infect your computers and online spaces, creating problems for users.
Recently it turned out that the Glupteba dropper and the backdoor trojan are able to manage and control domains by tracking bitcoin transactions. Along with this, Glupteba dropper adds two more components to browser system vulnerabilities – the exploit and the exploit of the router.
The browser thief gets access to the user’s browsing history, as well as to cookies, account names and passwords from browsers such as Chrome, Opera and Yandex. While this is happening, the router exploit exploits the MikroTik RouterOS vulnerability, which allows attackers to write arbitrary files.
Using a router helps cybercriminals configure the router as a SOCKS proxy server that routes malicious traffic to hide the correct IP address of the cybercriminals.
The C&C Glupteba update functionality deserves special attention. Malicious software uses the DiscoverDomain function, which is intended for Electrum bitcoin wallet servers using a public list. It tries to access the history of the blockchain hash script using a hard-coded hash, which provides the entire history of related transactions.
This version of Glupteba was distributed as part of an advertising campaign aimed at file-sharing sites. If the malware for some reason loses control over the C&C server, a new bitcoin script is added and the infected machine receives a new server, which is formed by decrypting the script data and reconnecting.