Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It

Posted by: Interware

Months after Google stopped the harmful activities, the Glupteba botnet's controllers reappeared in June 2022 as part of a new and "upscaled" effort.

According to a blog post by cybersecurity firm Nozomi Networks, the persistent attack is indicative of the malware's resistance to removal. The usage of TOR hidden services as C2 servers has increased tenfold since the 2021 campaign, it added.

The malware can also be configured to retrieve extra payloads that allow it to steal credentials, mine cryptocurrency, and extend its reach by taking advantage of flaws in IoT devices made by MikroTik and Netgear. The malware is transmitted by fraudulent advertising or software cracks.

It's also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.

Specifically, the botnet is designed to search the public Bitcoin blockchain for transactions related to wallet addresses owned by the threat actor so as to fetch the encrypted C2 server address.

"This is made possible by the OP_RETURN opcode that enables storage of up to 80 bytes of arbitrary data within the signature script," the industrial and IoT security firm explained, adding the mechanism also makes Glupteba hard to dismantle as "there is no way to erase nor censor a validated Bitcoin transaction."

The method also makes it convenient to replace a C2 server should it be taken down, as all that is needed for the operators is to publish a new transaction from the actor-controlled Bitcoin wallet address with the encoded updated server.

In December 2021, Google managed to cause a significant dent to its operations, alongside filing a lawsuit against two Russian nationals who oversaw the botnet. Last month, a U.S. court ruled in favor of the tech giant.

"While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them," the internet behemoth pointed out in November.

Nozomi Networks, which examined over 1,500 Glupteba samples uploaded to VirusTotal, said it was able to extract 15 wallet addresses that were put to use by the threat actors dating all the way back to June 19, 2019.

The ongoing campaign that commenced in June 2022 is also perhaps the biggest wave in the past few years, what with the number of rogue bitcoin addresses jumping to 17, up from four in 2021.

One of those addresses, which was first active on June 1, 2022, has transacted 11 times to date and is used in as many as 1,197 artifacts, making it the most widely used wallet address. The last transaction was recorded on November 8, 2022.

"Threat actors are increasingly leveraging blockchain technology to launch cyberattacks," the researchers said. "By taking advantage of the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for a variety of attacks, ranging from malware propagation to ransomware distribution."

Source: Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It (thehackernews.com)