Jump to content
  • Glupteba malware is back in action after Google disruption

    alf9872000

    • 410 views
    • 3 minutes
     Share


    • 410 views
    • 3 minutes

    The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.

     

    In December 2021, Google managed to cause a massive disruption to the blockchain-enabled botnet, securing the court orders to take control of the botnet's infrastructure and filing complaints against two Russian operators.

     

    Nozomi now reports that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples show a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing.

    Hiding in the blockchain

    Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.

     

    These proxies are later sold as 'residential proxies' to other cybercriminals.

     

    The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies.

     

    Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.

     

    The botnet's clients retrieve the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to find an AES encrypted address.

     

    discover-function.png

    Discover function used for retrieving C2 domains (Nozomi)

     

    This strategy has been employed by Glupteba for several years now, offering resilience against takedowns.

     

    That's because blockchain transactions cannot be erased, so C2 address takedown efforts have a limited impact on the botnet.

     

    Moreover, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address, so sudden botnet takeovers or global deactivations like the one that impacted Emotet in early 2021 are impossible.

     

    The only downside is that the Bitcoin blockchain is public, so anyone can access it and scrutinize transactions to gather information.

    The return of Glupteba

    Nozomi reports that Glupteba continues to use the blockchain in the same way, today, so its analysts scanned the entire blockchain to unearth hidden C2 domains.

     

    The effort was immense, involving the scrutiny of 1,500 Glupteba samples uploaded to VirusTotal to extract wallet addresses and attempt to decrypt transaction payload data using keys associated with the malware.

     

    Finally, Nozomi used passive DNS records to hunt for Glupteba domains and hosts and examined the latest set of TLS certificates used by the malware to uncover more information about its infrastructure.

     

    The Nozomi investigation identified 15 Bitcoin addresses used in four Glupteba campaigns, with the most recent one starting in June 2022, six months after Google's disruption. This campaign is still underway.

     

    This campaign uses more Bitcoin addresses than past operations, giving the botnet even more resilience.

     

    campaigns(1).png

    Blockchain transaction diagrams. From left to right, 2022 (most complex), 2021, 2020, and 2019 campaigns (Nozomi)

     

    Additionally, the number of TOR hidden services used as C2 servers has grown ten times since the 2021 campaign, following a similar redundancy approach.

     

    The most prolific address had 11 transactions and communicated to 1,197 samples, with its last activity being registered on November 8, 2022.

     

    Nozomi also reports many Glupteba domain registrations as recently as November 22, 2022, discovered via passive DNS data.

     

    From the above, it's clear that the Glupteba botnet has returned, and the signs indicate it's more massive than before and potentially even more resilient, setting up a high number of fallback addresses to resist takedowns by researchers and law enforcement.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...