(Image credit: iStock)
Google announced in December 2021 that it had taken down the Glupteba botnet's infrastructure and has sued Russian citizens Dmitry Starovikov and Alexander Filippov for building and operating the botnet. The blockchain-enabled botnet has been operating since at least 2011, experts estimated that the Glupteba botnet was comprised of more than 1 million Windows PCs around the world as of December 2021.
The botnet was capable for stealing users' credentials and data, mining cryptocurrency with victims' resources, and setting up proxies to route other people's internet traffic through infected PCs and routers. Botnet operators employ cracked or pirated software and pay-per-install (PPI) schemes to spread malware.
Nozomi Networks researchers have stated that the Glupteba botnet has returned, and researchers have detected an increase in the number of infections worldwide. Experts have detected a large increase in fraudulent bitcoin addresses, as well as an increase in the use of TOR hidden services as C2 servers.
The researchers discovered a new operation that began in June 2022, following the Google case, and is still running. Nozomi examined the whole blockchain to identify the botnet's C2 domains. The researchers also downloaded over 1500 Glupteba samples from VirusTotal to track the wallet addresses used by the operators.
Since 2019, researchers think that at least five separate merchants and exchanges have been utilised to fund the Glupteba addresses. Over the course of four years, the experts discovered 15 Glupteba bitcoin addresses that were most likely linked in four different campaigns.
"For this campaign we were not able to find any samples for 3 of the addresses we gathered. We assume these addresses were not created for testing because they spread several URLs discovered in other Bitcoin accounts for which samples were found." Nozomi's blog entry runs as follows. "In addition, there was a tenfold rise in TOR hidden service being used as C2 servers since the 2021 campaign."
The graph illustrates the transaction to and from the addresses engaged in the 2022 campaign.
To find out the infrastructure employed by the attackers, the experts used passive DNS data to unearth Glupteba domains and servers and assessed the most recent batch of TLS certificates used by the bot. One of the addresses had 11 transactions and was used by 1,197 samples, with the most recent activity occurring on November 8, 2022.
"Even with Google gaining a favourable judgement recently, we anticipated it would have dealt a major blow to Glupteba operations, but almost a year later we can say it most certainly did not. Indeed, it took Glupteba around six months to create a fresh campaign from start and distribute it in the wild, and this time on a considerably wider scale." concluded the research. "For defenders and responders, we strongly advocate blocking blockchain-related sites like blockchain.info but also Glupteba recognised C2 domains in your environment. To help prevent a potential Glupteba infection, we also recommend monitoring DNS logs and keeping antivirus software up to date."
Please do not enter any spam link in the comment box.