Glupteba malware is back in action after Google disruption

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,278
The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.

In December 2021, Google managed to cause a massive disruption to the blockchain-enabled botnet, securing the court orders to take control of the botnet's infrastructure and filing complaints against two Russian operators.

Nozomi now reports that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples show a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing.
Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.

These proxies are later sold as 'residential proxies' to other cybercriminals.

The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies.

Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.

The botnet's clients retrieve the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to find an AES encrypted address.

This strategy has been employed by Glupteba for several years now, offering resilience against takedowns.

That's because blockchain transactions cannot be erased, so C2 address takedown efforts have a limited impact on the botnet.

Moreover, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address, so sudden botnet takeovers or global deactivations like the one that impacted Emotet in early 2021 are impossible.

The only downside is that the Bitcoin blockchain is public, so anyone can access it and scrutinize transactions to gather information.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top