Cryptojacking, the process of taking over a device and using it for unauthorized cryptomining, has become increasingly popular amongst hackers and as such has attracted many big names in the cybercrime underworld.
One of the largest and most complex operations is the Glupteba Cryptojacking gang, which aims to not only use a victim’s device for mining but also to harvest wallet credentials as well as Google login details and credit card numbers.
Glupteba has been operating for nearly two years and spreads via Google advertisements, as well as phishing emails linked to malicious Google Docs.
Glupteba isn’t a run-of-the-mill cryptojacker, and has several malicious components packaged within:
Rootkit – Glupteba includes a variety of Windows kernel drivers that can hide the existence of specific files and processes. Rootkits can help cybersecurity threats lie low by keeping malware files off the radar of security tools and stopping them from showing up in security logs.
Security suppression – Glupteba has a module that does its best to turn Windows Defender off, and then regularly checks to make sure it hasn’t turned itself back on. It also looks for a laundry list of other security tools, including anti-virus software and system monitoring programs, killing them off so they can no longer search for and report anomalies.
Additional Malware – Glupteba uses two different variants of the ETERNALBLUE exploit to distribute itself automatically across a network, and anyone else’s it can find by reaching out from an infected computer. This gives Glupteba its botnet/worm characteristics.
A router attack tool – Glupteba bundles in various exploits against popular home and small business routers, using a computer as a jumping-off point to attack other devices. It uses one of these attacks to open up unpatched routers to act as network proxies that the crooks can use as “jumping off” points for future attacks. This leaves the unfortunate victim looking like an attacker themselves and showing up as an apparent source of cybercriminal activity.
A cryptojacker – The primary function of the malware; to mine for cryptocurrency without a user’s consent.
The Glupteba gang has risen infamy to the extent that in December last, Google issued a complaint that named several Russian nationals as being the ringleaders of the program.
Since then, the hackers have been in a game of cat-and-mouse with Google, with the company repeatedly shutting down the hacker’s servers, only for additional servers to pop up elsewhere.
According to researchers at Chainalysis, the Glupteba gang has weaponized the blockchain to harvest cryptocurrency and evade authorities.
“Whenever one of Glupteba’s C2 servers is shut down, it can simply scan the blockchain to find the new C2 server domain address, hidden amongst hundreds of thousands of daily transactions. This tactic makes the Glupteba botnet extremely difficult to disrupt through conventional cybersecurity techniques focused on disabling C2 server domains. This is the first known case of a botnet using this approach.”
The gang’s tactics show that they are skilled in evading capture, and show no sign of slowing down despite setbacks.
Glupteba Cryptojacker Analysis
Note: This analysis was carried out by TrendMicro.
The main dropper in the Glupteba attack is used to establish persistence by installing the rootkit component that would inject malicious code to the svchost.exe process. This process would become the downloader of the payload. This is done because Glupteba intends to treat its payload as modules. It is also a method for hiding the malicious process by disguising it as a normal one.
The modular approach of the malware is performed by gradually dropping components onto the system. This is to avoid being detected by antivirus software.
Initial static analysis of the dropper did not uncover much, as the dropper is packed using a UPX packer. Most droppers similar to the sample were also packed to hide meaningful strings. This is common among packed executable files and helps in making investigation difficult for analysts.
The strings in the unpacked sample indicate its use of web browsers on different platforms. One payload of this Glupteba variant involves the installation of extensions for malicious advertisements. Furthermore, the installation of web browsers is not limited to Windows-based ones; rather, it also includes Linux-based, Android-based, and even IOS-based web browsers.
The malware’s code mentions DoublePulsar, a backdoor implant tool that the Shadow Brokers group leaked. It enables the execution of additional malicious code, and it is commonly delivered by the EternalBlue exploit.
The payload observed on the particular machine is an installed extension. These extensions are installed in the system by executing wcrx.exe, a file packed similarly as the dropper. This file does the following:
- Adds a browser extension named chrome_filter to a web browser installed in the machine
- Connects to hxxp://fffffk[.]xyz/down/m_inc[.]js?1589344811463 and replaces the m_inc.js file from the browser extension. This is a content script that runs for every visited page.
- Starts rundll32.exe that then queries hxxp://info[.]d3pk[.]com/js_json for a list of JSONs, which contains scripts to be injected to Internet Explorer
Upon further investigation, it is revealed that the master_preferences file on the system has malicious indications such as the chrome AppID. This file contains the settings that a user wants to apply to their computer’s Chrome browser. Installing a Chrome extension in this file is a way to add features and functionalities to the Chrome browser.
The other use of the dropper in an attack involves using the initial machine as a foothold from which it will scan the internal network to look for vulnerable machines. It can then launch an EternalBlue exploit to spread the dropper laterally across the network.
EternalBlue is a hacking tool developed by NSA along with other tools and exploits such as EternalSynergy, EternalRomance, and the aforementioned DarkPulsar. The cybercriminal group Shadow Brokers reportedly leaked these back in 2017. In particular, the EternalBlue exploit was used to spread WannaCry ransomware and Petya ransomware.
The EternalBlue exploit involves a group of critical vulnerabilities in Microsoft SMBv1, specifically CVE-2017-0143 to CVE-2017-0148, which are used in various systems such as Windows 7, Windows Server 2008, Windows XP, and even Windows 10 with opened or enabled port 445. These strings from the unpacked sample reveal the targeted Windows versions, port, and architecture, similar to where Microsoft SMBv1 is also used. Microsoft SMBv1 is now frequently disabled or uninstalled.
Protecting Your Cryptocurrency Against Cryptojackers
Cryptocurrency and the blockchain stand to be a major driving factor in the technology of the future. However this popularity has attracted an element of cybercrime. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a user would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all internet users. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.