Google’s Threat Analysis Group (TAG) has taken down the Glupteba blockchain-enabled botnet, which is made up of about 1 million infected Windows and internet of things (IoT) devices. Google also filed a lawsuit against the botnet’s controllers at the same time.
According to TAG, Glupteba, which already has a substantial global footprint, is adding thousands of new devices every day. According to researchers, it spreads using bogus pirate software, fraudulent YouTube videos, malicious documents, traffic distribution networks, and other means. After being installed, it begins collecting users’ passwords and data, mining cryptocurrency on infected servers, and configuring proxies to proxy other internet traffic through compromised workstations and routers.
“And at any time, the strength of the Glupteba botnet might be exploited for use in a major ransomware or distributed denial-of-service (DDoS) assault,” Google stated in its complaint, which Threatpost obtained on Tuesday. The botnet’s operators also provide a variety of underground cybercrime-as-a-service options.
“While analysing Glupteba binaries, our team discovered a few with a git repository URL: git.voltronwork[dot] com,” the researchers explained. “This discovery sparked an investigation that led us to confidently identify multiple online services provided by the individuals operating the Glupteba botnet.” These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and credit-card numbers (extracard) for use in other nefarious operations such as displaying malicious advertising and committing payment fraud on Google Ads.”
TAG destroyed “essential command-and-control infrastructure so those controlling Glupteba should no longer have control of their botnet — for now,” according to the group’s vice president of security Royal Hansen and general counsel Halimah DeLaine Prado in a Tuesday statement.
The operation included shutting down 63 million Google Docs used to distribute Glupteba, 1,313 Google accounts, 908 cloud projects, and 870 Google Ads accounts, as well as shutting down servers and placing warning interstitial pages in front of malicious domains in collaboration with CloudFlare and others. Hansen and Prado did, however, admit that “Glupteba’s adoption of blockchain technology as a resilience mechanism is significant here… The decentralised structure of blockchain allows the botnet to rebound from disturbances more rapidly, making it that much more difficult to take down.”
TAG researchers elaborated in a second article that “Glupteba controllers are likely to seek to recover control of the botnet using a backup command-and-control method that exploits data encoded on the Bitcoin blockchain.”
The C2 specifically uses HTTPS to interact with infected devices; but, if communication is stopped for any reason, infected computers can get backup domains encrypted in the most recent transaction from other Bitcoin wallet addresses.
As the takedowns of Emotet and TrickBot shown, these sorts of networks can reappear weeks or months after technological action is done. As an added layer of interruption, Google also filed a lawsuit against Russian nationals Dmitry Starovikov and Alexander Filippov in the Southern District of New York.
The two are being sued for computer fraud and abuse, trademark infringement, Racketeer Influenced and Corrupt Organizations Act (RICO) breaches, tortious interference with commercial relationships, unjust enrichment, and other claims.