SophosLabs published a study that revealed hackers use the blockchain network to share secret messages.
A group of researchers from SophosLabs state that hackers operating the cryptojacking malware, Glupteba, have been using the Bitcoin blockchain network to communicate in secret.
According to the report published on June 24, cybercriminals rely on a command and control center where they send encrypted secret messages that require a 256-bit AES decryption key.
Encrypted messages used to update malware
The purpose of the communication channel is for hackers to receive updated configuration information for the malware. This data is used by attackers to obtain precise instructions and thus update the malicious software.
Glupteba is what’s known as a zombie or software robot that can be controlled remotely. It has various functions such as a rootkit, security suppressor, virus, router attack tool, browser stealer, and as a cryptojacking tool.
SophosLabs explains in detail about the curious feature:
“Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks. Bitcoin’ transactions’ don’t actually have to be about money – they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.”
Future malware-delivery-as-a-service provider?
However, the cybersecurity firm warns that the malware could take advantage of this feature as an added value to commercialize it.
Andrew Brandt, a principal researcher at SophosLabs, told ZDNet:
“I’d say the Glupteba attackers are angling to market themselves as a malware-delivery-as-a-service provider to other malware makers who value longevity and stealth over the noisy quick endgame of, for instance, a ransomware payload.”
But this is not the first case in which the blockchain network is used to send messages in the crypto sphere. On May 25, a message signed by 145 wallets containing Bitcoin (BTC) from a number of early blocks called Craig Wright a “liar and a fraud.” [see below]
Early Bitcoin Miner Calls Craig Wright a Fraud Through ‘His Own’ Addresses
Craig Wright’s claim to thousands of Bitcoin addresses is shaken once again as 145 addresses with BTC from 2009 signed a message saying he is a fraud.
A message signed by 145 wallets containing Bitcoin (BTC) mined in its first years calls Craig Wright a “liar and a fraud.”
The message was published on May 25 with a list of 145 addresses and their corresponding signatures. This seemingly proves that the addresses do indeed belong to the person broadcasting the message. The message itself reads:
“Craig Steven Wright is a liar and a fraud. He doesn’t have the keys used to sign this message. The Lightning Network is a significant achievement. However, we need to continue work on improving on-chain capacity. Unfortunately, the solution is not to just change a constant in the code or to allow powerful participants to force out others.”
Notably, Cointelegraph was able to verify that all of the addresses can be found among the list of thousands claimed by Craig Wright in the case against Ira Kleiman.
Wright has on multiple occasions failed to produce proof of ownership of the alleged fortune of Satoshi Nakamoto, who is believed to have mined more than one million BTC.
An easy way of doing so is by signing a message with the cryptographic private key of the wallet in question, which can be checked with the public key.
Given that Wright tried to evade every occasion where he would have been forced to conclusively prove ownership, many in the community doubt that he owns those Bitcoins — and thus, that he’s Satoshi Nakamoto.
Is this a message from Satoshi?
The signed message bears some similarity to a 2015 message coming from Satoshi’s email address, saying “I am not Craig Wright. We are all Satoshi.”
While the first part of the new statement rehashes the same concept, the message then expresses an opinion on the debates that ravaged Bitcoin before Bitcoin Cash (BCH) spun off into its own chain.
The blocks mined by this unknown person fall outside of the Patoshi pattern, which is the basis behind the claim that Satoshi mined more than 1 million BTC. Nevertheless, there is no absolute certainty in identifying which blocks are Satoshi’s and which are not. It seems likely that the similarity is a tribute to the alleged Satoshi message.
The early Bitcoin miner appears to have a middle ground position between Bitcoin and Bitcoin Cash. While he praises the Lightning Network, he also argues for higher on-chain capabilities. However, he does not believe that raising the block size, or “changing a constant in the code,” is the solution.
This is the second time in less than a week that an early miner suddenly showed activity.
What happens now for Wright?
The Kleiman case rests entirely on the assumption that Wright is Satoshi, which would entitle Ira Kleiman to half of those Bitcoins.
It is becoming ever more obvious that Wright has no access to those coins, which would nullify the long running case, set to enter trial on July 6.