Glupteba Botnet Continues to Thrive Despite Google’s Attempts to Disrupt It

Dec 19, 2022Ravie LakshmananBlockchain / Botnet

The operators of the Glupteba botnet resurfaced in June 2022 as
part of a renewed and “upscaled” campaign, months after Google
disrupted the malicious activity.

The ongoing attack is suggestive of the malware’s resilience in
the face of takedowns, cybersecurity company Nozomi Networks said
in a write-up. “In addition, there was a tenfold increase in TOR
hidden services being used as C2 servers since the 2021 campaign,”
it noted^[1].

The malware, which is distributed through fraudulent ads or
software cracks, is also equipped to retrieve additional payloads
that enable it to steal credentials, mine cryptocurrencies, and
expand its reach by exploiting vulnerabilities in IoT devices from
MikroTik^[2]
and Netgear^[3].

It’s also an instance of an unusual malware that leverages
blockchain as a mechanism for command-and-control (C2) since at least 2019^[4], rendering its
infrastructure resistant to takedown efforts as in the case of a
traditional server.

Specifically, the botnet is designed to search the public
Bitcoin blockchain for transactions related to wallet addresses
owned by the threat actor so as to fetch the encrypted C2 server
address.

“This is made possible by the OP_RETURN^[5]
opcode that enables storage of up to 80 bytes of arbitrary data
within the signature script,” the industrial and IoT security firm
explained, adding the mechanism also makes Glupteba hard to
dismantle as “there is no way to erase nor censor a validated
Bitcoin transaction.”

The method also makes it convenient to replace a C2 server
should it be taken down, as all that is needed for the operators is
to publish a new transaction from the actor-controlled Bitcoin
wallet address with the encoded updated server.

In December 2021, Google managed^[6]
to cause a significant dent to its operations, alongside filing a
lawsuit against two Russian nationals who oversaw the botnet. Last
month, a U.S. court ruled in favor^[7]
of the tech giant.

“While Glupteba operators have resumed activity on some
non-Google platforms and IoT devices, shining a legal spotlight on
the group makes it less appealing for other criminal operations to
work with them,” the internet behemoth pointed
out^[8] in November.

Nozomi Networks, which examined over 1,500 Glupteba samples
uploaded to VirusTotal, said it was able to extract 15 wallet
addresses that were put to use by the threat actors dating all the
way back to June 19, 2019.

The ongoing campaign that commenced in June 2022 is also perhaps
the biggest wave in the past few years, what with the number of
rogue bitcoin addresses jumping to 17, up from four in 2021.

One of those addresses, which was first active on June 1, 2022^[9], has transacted 11 times
to date and is used in as many as 1,197 artifacts, making it the
most widely used wallet address. The last transaction was recorded
on November 8, 2022.

“Threat actors are increasingly leveraging blockchain technology
to launch cyberattacks,” the researchers said. “By taking advantage
of the distributed and decentralized nature of blockchain,
malicious actors can exploit its anonymity for a variety of
attacks, ranging from malware propagation to ransomware
distribution.”