According to TrendMicro researchers, Gluptebagoons will first send Bitcoin transactions via the Electrum Bitcoin wallet, which Hard Fork previously reported had been threatened by a prolific phishing campaign.
The malware, which has been programmed with a hardcoded ScriptHash string, will then make its way through a public list of Electrum servers to find every transaction that was made by the attacker.
Buried in those transactions is seemingly innocent OP_RETURN data which contains an encrypted C&C domain. The ScriptHash string is then used to decrypt that data.
“This technique makes it more convenient for the threat actor to replace C&C servers,” said TrendMicro. “If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting.”
To ensure your machine is protected against innovative threats like Glupteba, DON’T CLICK ON SUSPICIOUS LINKS AND EMAILS. Also, ensure your router’s firmware is up-to-date. Be safe out there.
