The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Glupteba exploits Bitcoin blockchain to spread. Nozomi Networks cybersecurity experts: The malware is downloaded via Pay-Per-Install networks – online ad campaigns that prompt software in infected installers or software cracks
Glupteba is actively used by cybercrime actors to carry out their malicious activity. Nozomi Networks cybersecurity experts denounce it. The malware is a backdoor trojan that is downloaded via Pay-Per-Install networks – online ad campaigns that prompt software or application downloads – in infected installers or software cracks. Once it is active on a system, the botnet operators can deploy additional modules from the credential stealer to exploit kits compromising devices on the target network. There are several ones aimed at exploiting vulnerabilities in various Internet of Things (IoT) appliances from vendors, such as MikroTik and Netgear. Surprisingly, Glupteba leverages the Bitcoin blockchain to distribute its Command and Control (C2) domains to infected systems. This mechanism is uncommon and extremely resilient to takedowns as there is no way to erase nor censor a validated Bitcoin transaction. Using the same approach that the malware is using to hide data within the blockchain, researchers can hunt for malicious transactions and recover their payloads. If the said domains are not stored in plaintext, reversing the Glupteba samples enables security researchers to decrypt the payload and access the embedded domains.