Glupteba malware is back in action after Google disruption

by | Dec 19, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.

 

In December 2021, Google managed to cause a massive disruption to the blockchain-enabled botnet, securing the court orders to take control of the botnet’s infrastructure and filing complaints against two Russian operators.

Nozomi now reports that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples show a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Hiding in the blockchain

 

Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.

These proxies are later sold as ‘residential proxies’ to other cybercriminals.

The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies.

Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.

The botnet’s clients retrieve the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to find an AES encrypted address.

 

Discover function used for retrieving C2 domains
Discover function used for retrieving C2 domains (Nozomi)

 

This strategy has been employed by Glupteba for several years now, offering resilience against takedowns.

That’s because blockchain transactions cannot be erased, so C2 address takedown efforts have a limited impact on the botnet.

Moreover, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address, so sudden botnet takeovers or global deactivations like the one that impacted Emotet in early 2021 are impossible.

The only downside is that the Bitcoin blockchain is public, so anyone can access it and scrutinize transactions to gather information.

The return of Glupteba

 

Nozomi reports that Glupteba continues to use the blockchain in the same way, today, so its analysts scanned the entire blockchain to unearth hidden C2 domains.

The effort was immense, involving the scrutiny of 1,500 Glupteba samples uploaded to VirusTotal to extract wallet addresses and attempt to decrypt transaction payload data using keys associated with the malware.

Finally, Nozomi used passive DNS records to hunt for Glupteba domains and hosts and examined the latest set of TLS certificates used by the malware to uncover more information about its infrastructure.

The Nozomi investigation identified 15 Bitcoin addresses used in four Glupteba campaigns, with the most recent one starting in June 2022, six months after Google’s disruption. This campaign is still underway.

This campaign uses more Bitcoin addresses than past operations, giving the botnet even more resilience.

 

Blockchain transaction diagrams. Latest campaign infrastructure on left, and 2019 to 2021 campaigns on right
Blockchain transaction diagrams. From left to right, 2022 (most complex), 2021, 2020, and 2019 campaigns (Nozomi)

 

Additionally, the number of TOR hidden services used as C2 servers has grown ten times since the 2021 campaign, following a similar redundancy approach.

The most prolific address had 11 transactions and communicated to 1,197 samples, with its last activity being registered on November 8, 2022.

Nozomi also reports many Glupteba domain registrations as recently as November 22, 2022, discovered via passive DNS data.

From the above, it’s clear that the Glupteba botnet has returned, and the signs indicate it’s more massive than before and potentially even more resilient, setting up a high number of fallback addresses to resist takedowns by researchers and law enforcement.

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This