Cybercriminals Use the Blockchain to Relay Secret Messages

Published at: June 25, 2020

A group of researchers from SophosLabs state that hackers operating the cryptojacking malware, Glupteba, have been using the Bitcoin blockchain network to communicate in secret.

According to the report published on June 24, cybercriminals rely on a command and control center where they send encrypted secret messages that require a 256-bit AES decryption key.

Encrypted messages used to update malware

The purpose of the communication channel is for hackers to receive updated configuration information for the malware. This data is used by attackers to obtain precise instructions and thus update the malicious software.

Glupteba is what’s known as a zombie or software robot that can be controlled remotely. It has various functions such as a rootkit, security suppressor, virus, router attack tool, browser stealer, and as a cryptojacking tool.

A sample of the encrypted message - Source: SophosLabs

SophosLabs explains in detail about the curious feature:

“Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks. Bitcoin’ transactions’ don’t actually have to be about money - they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.”

Future malware-delivery-as-a-service provider?

However, the cybersecurity firm warns that the malware could take advantage of this feature as an added value to commercialize it.

Andrew Brandt, a principal researcher at SophosLabs, told ZDNet:

“I’d say the Glupteba attackers are angling to market themselves as a malware-delivery-as-a-service provider to other malware makers who value longevity and stealth over the noisy quick endgame of, for instance, a ransomware payload.”

But this is not the first case in which the blockchain network is used to send messages in the crypto sphere. On May 25, a message signed by 145 wallets containing Bitcoin (BTC) from a number of early blocks called Craig Wright a “liar and a fraud.”

Tags
Related Posts
Digital intelligence must overcome challenges to solving crypto crimes
While the value of cryptocurrencies has varied wildly in the last year, this has not diminished crypto’s attractiveness to criminals. Many of them are moving their illegal activities underground and outside the view of law enforcement. Because of the public nature of most blockchains, however, this rapid movement shouldn’t be a major concern to law enforcement agencies. With the right tools and training, following the proceeds of crypto-enabled crime is actually not as difficult as it may seem. However, intelligence agencies must have a cryptocurrency investigation plan that includes the right tools to lawfully collect digital evidence and the properly …
Technology / Aug. 20, 2021
Bitcoin Ransomware and Remote Working: What the Future Holds
The new work-from-home culture is gaining more traction than ever before as businesses, government departments and schools try to remain afloat while flattening the pandemic curve. This migration to remote working is a double-edged sword that creates a fertile land for cybercriminals to thrive on. There is no way that cyberattacks can be eliminated completely. The best that companies can do is minimize the frequency of the threats. What is ransomware? Cybercriminals use malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies such as Bitcoin (BTC) have made it …
Technology / Aug. 21, 2020
Don’t blame crypto for ransomware
Recently, gas has been a hot topic in the news. In the crypto media, it’s been about Ethereum miner’s fees. In the mainstream media, it’s been about good old-fashioned gasoline, including a short-term lack thereof along the East Coast, thanks to an alleged DarkSide ransomware attack on the Colonial Pipeline system, which provides 45% of the East Coast’s supply of diesel, gasoline and jet fuel. In cases of ransomware, we generally see a typical cycle repeat: Initially, the focus is on the attack, the root cause, the fallout and steps organizations can take to avoid attacks in the future. Then, …
Technology / May 30, 2021
Colorado Hospital Patient Information System Hit by Crypto Ransomware
Hackers have infected the infrastructure of Parkview Medical Center — the largest health center in Pueblo County, Colorado — with cryptocurrency ransomware. Citing a hospital employee, Fox News reported on April 24 that Meditech — the Parkview Medical Center’s system for storing patient information — was infected with ransomware and rendered inoperable. The hospital confirmed the incident in a statement: “On Tuesday, April 21, Parkview Medical Center was the target of a cyber-incident which has resulted in an outage in a number of our IT systems.” As Cointelegraph recently reported, ransomware attacks against hospitals are ongoing, despite the fall in …
Technology / April 29, 2020
Defending Bitcoin’s Integrity in the Great Twitter Hack
Bitcoin (BTC) has made global headlines again because of the recent Twitter hack, but this time, we need to work harder to protect Bitcoin’s integrity and the progress the industry has made. The coordinated social engineering attack compromised the Twitter accounts of high-profile figures and organizations like Microsoft co-founder Bill Gates, Tesla founder Elon Musk, Amazon owner Jeff Bezos, former United States President Barack Obama and 2020 U.S. presidential candidate Joe Biden, among many others, to ask for Bitcoin in fake “giveaway” posts. When the story broke, the New York Times, BBC and other mainstream media outlets were quick to …
Decentralization / July 22, 2020