Google TAG Disrupts Glupteba Botnet Operation
Google's Threat Analysis Group announced the successful disruption of the notorious Glupteba botnet this week. The botnet was infamously installing crypto-mining malware on victim systems and had reportedly spread to around 1 million infected hosts, including both Internet of things devices as well as Windows-based computers.
According to Google's TAG report, the disruption will cause considerable issues and leave the operators of Glupteba unable to access critical command and control infrastructure, effectively putting the botnet out of their reach. However, the Google security research team also stated that it is expected that the Glupteba operators also have a way to restore and resort to secondary C2 infrastructure by using data that is kept in the Bitcoin blockchain.
What is Glupteba?
Glupteba was known to use varied attack vectors to infect target systems. Those methods of attack ranged from using malicious documents to hiding in "cracks" for pirated software and applications. The Glupteba malware was also able to quietly mine cryptocurrency on the victim's system through its dedicated module, as well as exfiltrate login credentials and files from the victim's drives, making it a formidable malicious toolkit.
The discovery of a single git repository URL in the code of a Glupteba binary that was being reverse engineered and examined put researchers on the trail that led to the eventual disruption of the botnet.
Botnet takedown in a massive sweep
Once tipped off by the URL, the research team managed to eventually shut down a range of online services belonging to Glupteba's operators. The services in question were used to sell stolen credentials as well as stolen credit card information. The hijacked payment methods were used for malicious purposes as well, with bad actors paying illegally for malicious ad campaigns or making fraudulent payments on Google Ads. During the sweep to take down the botnet's C2 infrastructure, Google's team worked together with CloudFlare to take down servers and place warning messages that load before a system can access a malicious domain. Additionally, nearly 900 Google Ads accounts were shut down, as well as over 900 cloud projects and over 1300 Google accounts.