Google disrupts massive Glupteba botnet, sues Russian operators

Google announced today that it has taken action to disrupt the Glupteba botnet that now controls more than 1 million Windows PCs around the world, growing by thousands of new infected devices each day.

Glupteba is a blockchain-enabled and modular malware that has been targeting Windows devices worldwide since at least 2011, including the US, India, Brazil, and countries from Southeast Asia.

Threat actors behind this malware strain are mainly distributing payloads onto targets' devices via pay-per-install (PPI) networks and traffic purchased from traffic distribution systems (TDS) camouflaged as "free, downloadable software, videos, or movies."

After infecting a host, it can mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices, which later get sold as 'residential proxies' to other cybercriminals.

As part of Google's concerted effort to disrupt the botnet, the company took over Glupteba's key command and control (C2) infrastructure, which uses a Bitcoin blockchain backup mechanism to add resilience if the main C2 servers stop responding.

"We believe this action will have a significant impact on Glupteba's operations," said Google Threat Analysis Group's Shane Huntley and Luca Nagy today.

"However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain."

Legal action towards botnet disruption

Google also filed for a temporary restraining order and a complaint in the Southern District of New York against two Russian defendants (Dmitry Starovikov and Alexander Filippov) and 15 other unknown individuals.

The complaint claims the 17 defendants were the ones operating and coordinating Glupteba attacks with the end goal of stealing user accounts and credit card info, selling ad placement and proxy access on infected devices, and mining for cryptocurrency in computer fraud and abuse, trademark infringement, and other schemes.

Among the online services offered by Glupteba botnet's operators, Google mentioned "selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads."

"Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations," Google's Vice President for Security Royal Hansen and General Counsel Halimah DeLaine Prado added.

"The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it."

On Monday, Microsoft also seized dozens of malicious sites used by the Nickel China-based hacking group (aka KE3CHANG, APT15, Vixen Panda, Royal APT, and Playful Dragon) to target servers belonging to government orgs, diplomatic entities, and non-governmental organizations (NGOs) in the US and 28 other countries worldwide.

Google disrupts massive Glupteba botnet, sues Russian operators