Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Glupteba malware is back in action after Google disruption

The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.

In December 2021, Google managed to cause a massive disruption to the blockchain-enabled botnet, securing the court orders to take control of the botnet’s infrastructure and filing complaints against two Russian operators.

Nozomi now reports that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples show a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing.

Hiding in the blockchain

Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.

These proxies are later sold as ‘residential proxies’ to other cybercriminals.

The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies.

Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.

The botnet’s clients retrieve the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to find an AES encrypted address.

Discover function used for retrieving C2 domains
Discover function used for retrieving C2 domains (Nozomi)

This strategy has been employed by Glupteba for several years now, offering resilience against takedowns.

That’s because blockchain transactions cannot be erased, so C2 address takedown efforts have a limited impact on the botnet.

Moreover, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address, so sudden botnet takeovers or global deactivations like the one that impacted Emotet in early 2021 are impossible.

The only downside is that the Bitcoin blockchain is public, so anyone can access it and scrutinize transactions to gather information.

The return of Glupteba

Nozomi reports that Glupteba continues to use the blockchain in the same way, today, so its analysts scanned the entire blockchain to unearth hidden C2 domains.

The effort was immense, involving the scrutiny of 1,500 Glupteba samples uploaded to VirusTotal to extract wallet addresses and attempt to decrypt transaction payload data using keys associated with the malware.

Finally, Nozomi used passive DNS records to hunt for Glupteba domains and hosts and examined the latest set of TLS certificates used by the malware to uncover more information about its infrastructure.

The Nozomi investigation identified 15 Bitcoin addresses used in four Glupteba campaigns, with the most recent one starting in June 2022, six months after Google’s disruption. This campaign is still underway.

Advertisement. Scroll to continue reading.

This campaign uses more Bitcoin addresses than past operations, giving the botnet even more resilience.

Blockchain transaction diagrams. Latest campaign infrastructure on left, and 2019 to 2021 campaigns on right
Blockchain transaction diagrams. From left to right, 2022 (most complex), 2021, 2020, and 2019 campaigns (Nozomi)

Additionally, the number of TOR hidden services used as C2 servers has grown ten times since the 2021 campaign, following a similar redundancy approach.

The most prolific address had 11 transactions and communicated to 1,197 samples, with its last activity being registered on November 8, 2022.

Nozomi also reports many Glupteba domain registrations as recently as November 22, 2022, discovered via passive DNS data.

From the above, it’s clear that the Glupteba botnet has returned, and the signs indicate it’s more massive than before and potentially even more resilient, setting up a high number of fallback addresses to resist takedowns by researchers and law enforcement.

Copyright 2021 Associated Press. All rights reserved.

Source: https://www.bleepingcomputer.com/news/security/glupteba-malware-is-back-in-action-after-google-disruption/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO