Jump to content
  • Google disrupts massive Glupteba botnet, sues Russian operators


    Karlston

    • 581 views
    • 3 minutes
     Share


    • 581 views
    • 3 minutes

     

    Google announced today that it has taken action to disrupt the Glupteba botnet that now controls more than 1 million Windows PCs around the world, growing by thousands of new infected devices each day.

     

    Glupteba is a blockchain-enabled and modular malware that has been targeting Windows devices worldwide since at least 2011, including the US, India, Brazil, and countries from Southeast Asia.

     

    Threat actors behind this malware strain are mainly distributing payloads onto targets' devices via pay-per-install (PPI) networks and traffic purchased from traffic distribution systems (TDS) camouflaged as "free, downloadable software, videos, or movies."

     

    After infecting a host, it can mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices, which later get sold as 'residential proxies' to other cybercriminals.

     

    As part of Google's concerted effort to disrupt the botnet, the company took over Glupteba's key command and control (C2) infrastructure, which uses a Bitcoin blockchain backup mechanism to add resilience if the main C2 servers stop responding.

     

    "We believe this action will have a significant impact on Glupteba's operations," said Google Threat Analysis Group's Shane Huntley and Luca Nagy today.

     

    "However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain."

     

    Legal action towards botnet disruption

    Google also filed for a temporary restraining order and a complaint in the Southern District of New York against two Russian defendants (Dmitry Starovikov and Alexander Filippov) and 15 other unknown individuals.

     

    The complaint claims the 17 defendants were the ones operating and coordinating Glupteba attacks with the end goal of stealing user accounts and credit card info, selling ad placement and proxy access on infected devices, and mining for cryptocurrency in computer fraud and abuse, trademark infringement, and other schemes.

     

    Among the online services offered by Glupteba botnet's operators, Google mentioned "selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads."

     

    "Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations," Google's Vice President for Security Royal Hansen and General Counsel Halimah DeLaine Prado added.

     

    "The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it."

     

    On Monday, Microsoft also seized dozens of malicious sites used by the Nickel China-based hacking group (aka KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon) to target servers belonging to government orgs, diplomatic entities, and non-governmental organizations (NGOs) in the US and 28 other countries worldwide.

     

     

    Google disrupts massive Glupteba botnet, sues Russian operators

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...