An analysis conducted by OT and IoT cybersecurity firm Nozomi Networks shows that the Glupteba botnet is still active following Google’s efforts to disrupt the cybercrime operation.
The Glupteba botnet is powered by a large number of compromised Windows devices. The malware can steal user credentials and other data, mine cryptocurrencies, and turn devices into proxies. It leverages cryptocurrency blockchains to protect its command and control (C&C) structure.
Google announced in December 2021 that it had taken action against the Glupteba botnet and its alleged operators, Russian nationals Dmitry Starovikov and Alexander Filippov. The internet giant had filed a lawsuit against the two men and worked with industry partners to take down C&C infrastructure.
However, a blockchain analysis conducted by Nozomi reveals that the threat is still active, with the latest campaign, which is ongoing, starting in June 2022.
Nozomi’s investigation focused on Glupteba’s use of the Bitcoin blockchain for hidden C&C domains. Specifically, the blockchain can be used to store arbitrary data through an opcode that fits up to 80 bytes of data with the signature script.
Using this method makes the botnet more resilient to takedown because blockchain transactions cannot be erased by law enforcement or defenders.
“The way the Bitcoin blockchain is built on top of modern cryptography also makes this mechanism secure; without the Bitcoin address private key, one cannot send a transaction with such a data payload originating from the malicious address, hence, taking over the botnet is not possible. Additionally, threat actors can encrypt their payload from peering eyes, making the data storage scheme robust and cost effective,” Nozomi explained
According to the security firm, Glupteba has been using the technique, which has also been used by the Cerber ransomware, since at least 2019.
An analysis of more than 1,500 malware samples and a scan of the entire Bitcoin blockchain showed that the first campaign, which started in June 2019, used a single Bitcoin address to distribute malicious domains.
In the second campaign, which started in April 2020, two Bitcoin addresses were used for C&C domain distribution. The third campaign started in November 2021 and it was the shortest, stopping after roughly two months, likely due to the actions taken by Google.
Nozomi has determined that it took the cybercriminals six months to build a new campaign. This latest operation, which began in June 2022, is much larger, with more than a dozen Bitcoin addresses being used, likely in an effort to hinder the efforts of the cybersecurity community. The black hat hackers also increased the use of Tor hidden services for C&C servers.
Google announced last month that it won the lawsuit against Glupteba operators, with the court ordering the defendants and their US-based attorney to pay legal fees. The operators attempted to mislead the court by claiming they were willing to cooperate when in fact their plan was to abuse the court system and discovery rules to obtain information that would help them bypass Google’s efforts to shut down the botnet.
Starovikov and Filippov at one point offered to provide information about the Bitcoin addresses associated with the botnet in return for Google giving each of them $1 million and not reporting them to law enforcement. The offer was seen as an extortion attempt by Google, which notified law enforcement.
Google confirmed in a recent blog post that Glupteba operators have “resumed activity on some non-Google platforms and IoT devices”, but believes that the successful legal case against them “makes it less appealing for other criminal operations to work with them”. In addition, Google said that while the cybercrime campaign is ongoing, the company’s disruption effort still had a significant impact, with a 78% reduction being observed in the number of infected hosts.
Nozomi has published a blog post containing Bitcoin addresses used in the Glupteba operation, as well as other indicators of compromise (IoCs) that can be useful to defenders.
Related: Hamas Cyberspies Return With New Malware After Exposure of Operations
Related: FIN7 Cybercrime Operation Continues to Evolve Despite Arrests