Google Disrupts Blockchain-based Glupteba Botnet; Sues Russian Hackers
5 mins read

Google Disrupts Blockchain-based Glupteba Botnet; Sues Russian Hackers


Google on Tuesday stated it took steps to disrupt the operations of a classy “multi-component” botnet referred to as Glupteba that roughly contaminated multiple million Home windows computer systems throughout the globe and saved its command-and-control server addresses on Bitcoin’s blockchain as a resilience mechanism.

As a part of the efforts, Google’s Menace Evaluation Group (TAG) stated it partnered with the CyberCrime Investigation Group over the previous yr to terminate round 63 million Google Docs that have been noticed to have distributed the malware, alongside 1,183 Google Accounts, 908 Cloud Tasks, and 870 Google Adverts accounts that have been related to its distribution.

Google TAG stated it labored with web infrastructure suppliers and internet hosting suppliers, equivalent to CloudFlare, to dismantle the malware by taking down servers and inserting interstitial warning pages in entrance of the malicious domains.

In tandem, the web big additionally introduced a lawsuit in opposition to two Russian people, Dmitry Starovikov and Alexander Filippov, who’re alleged to be answerable for managing the botnet alongside 15 unnamed defendants, calling the enterprise a “trendy technological and borderless incarnation of organized crime.”

Automatic GitHub Backups

“Glupteba is thought to steal person credentials and cookies, mine cryptocurrencies on contaminated hosts, deploy and function proxy parts focusing on Home windows techniques and IoT units,” TAG researchers Shane Huntley and Luca Nagy stated, with the botnet noticed focusing on victims worldwide, together with the U.S., India, Brazil, and Southeast Asia.

Glupteba was first publicly documented by Slovak web safety firm ESET in 2011. Final yr, cybersecurity agency Sophos printed a report on the dropper, noting it “was capable of repeatedly thwart efforts at eradicating it from an contaminated machine,” including “Glupteba additionally takes a wide range of approaches to put low and keep away from being seen.”


Primarily disseminated via sketchy third-party software program and on-line film streaming websites, the modular botnet camouflages as free software program and YouTube movies that, post-installation, could be orchestrated to benefit from its illicit entry to the units to retrieve further parts and additional a variety of legal schemes, together with —

  • Stealing private account info and promoting the entry to third-parties on a portal referred to as “Dont[.]farm”
  • Merchandising bank cards to facilitate fraudulent purchases from Google Adverts and different Google companies
  • Promoting unauthorized entry to the units to be used as residential proxies through “AWMProxy[.]web” to hide the actions of dangerous actors
  • Serving disruptive pop-up adverts on the compromised machines, and
  • Hijacking the computing energy of the units to mine cryptocurrency

However in an fascinating twist, quite than promoting these stolen credentials on to different legal prospects, the Glupteba operators pawned the entry via digital machines that have been preloaded with these accounts by logging in utilizing the siphoned usernames and passwords on an online browser.

“’s prospects pay the Glupteba Enterprise in trade for the power to entry a browser that’s already logged right into a sufferer’s stolen Google account,” the corporate alleged. “As soon as granted entry to the account, the Dont[.]farm buyer has free rein to make use of that account nonetheless they need, together with shopping for commercials and launching fraudulent advert campaigns, all with out the true account proprietor’s data or authorization.”

Prevent Data Breaches

The downloaded modules, moreover incorporating measures to maintain it invisible to detection by antivirus options, are designed to execute arbitrary instructions pushed by an attacker-controlled server. Glupteba can be notable for the truth that not like different conventional botnets, the malware leverages the Bitcoin blockchain as a backup command-and-control (C2) system.

Particularly, as a substitute of relying solely on a listing of predetermined and disposable domains both hard-coded within the malware or obtained utilizing a website era algorithm (DGA), the malware is programmed to look the general public Bitcoin blockchain for transactions involving three pockets addresses owned by the risk actor in order to fetch the encrypted C2 server deal with.

“Sadly, Glupteba’s use of blockchain know-how as a resiliency mechanism is notable right here and is turning into a extra frequent follow amongst cyber crime organizations,” Google’s Royal Hansen and Halimah DeLaine Prado stated. “The decentralized nature of blockchain permits the botnet to get well extra rapidly from disruptions, making them that a lot more durable to shutdown.”

What’s extra, the tech big defined in its lawsuit that the cybercriminal gang maintained a web-based presence at “Voltronwork[.]com” to actively recruit builders by the use of job openings on Google Adverts to “help its web sites, transactions, and general operation.”

The authorized transfer additionally comes a day after Microsoft disclosed it had seized 42 domains utilized by the China-based Nickel hacking group (aka APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda) to focus on servers belonging to authorities businesses, assume tanks, and human rights organizations within the U.S. and 28 different nations worldwide.

Leave a Reply

Your email address will not be published. Required fields are marked *