Glupteba Botnet Resurfaces After Google Crackdown
The Glupteba botnet, which Google disrupted last year, is once again active and infecting devices worldwide. According to researchers at Nozomi, a new Glupteba campaign began in June 2022 and is still ongoing.
Background: Google’s Actions Against Glupteba
In December 2021, Google specialists removed accounts and disabled servers and domains associated with the Glupteba botnet. The company also filed a lawsuit against Russian nationals Dmitry Starovikov and Alexander Filippov, accusing them of creating and operating the botnet—a case Google recently won.
At that time, Google reported deleting about 63 million files from Google Docs used by Glupteba operators to spread malware, as well as 1,183 Google accounts, 908 cloud projects, and 870 Google Ads accounts that hackers used to host various parts of the botnet.
What Is Glupteba?
Glupteba was first documented in a 2011 report by ESET and, by 2021, was considered one of the world’s oldest botnets, targeting users in the US, India, Brazil, and Southeast Asia. The botnet only attacked Windows systems and relied on cracked or pirated software, as well as pay-per-install schemes, to spread. Once on a device, the malware would download various modules to perform specialized tasks.
On compromised machines, Glupteba stole credentials and cookies, mined cryptocurrency, and deployed proxy components targeting Windows systems and IoT devices. One of its most well-known modules could spread infections from Windows computers to MikroTik routers found on internal networks. This module is believed to have been used in early 2021 to build the Mēris botnet, responsible for some of the largest DDoS attacks.
Resilience Through Blockchain Technology
Experts acknowledged last winter that their actions would likely only temporarily disrupt Glupteba, as the malware was designed with a backup C&C system operating over the Bitcoin blockchain. Google hoped this would at least reduce Glupteba’s activity for a few months.
Nozomi now reports that events unfolded just as Google experts predicted. The botnet is active again and still uses the Bitcoin blockchain to avoid disruptions when updating its list of command-and-control servers. Glupteba clients obtain C&C server addresses by listing Bitcoin wallet servers, extracting transactions, and analyzing them to find an encrypted AES address. This strategy has been used for several years, making the botnet highly resilient.
The report also notes that, without the private Bitcoin key, law enforcement cannot suddenly seize or effectively disrupt the botnet, unlike what was done with Emotet in early 2021. The only downside to this tactic is the public nature of the blockchain, which allows anyone to access and analyze transactions for information—something Nozomi analysts have done. They scanned the blockchain and examined over 1,500 Glupteba samples uploaded to VirusTotal to extract wallet addresses and attempt to decrypt payloads in transactions using malware-related keys.
Nozomi researchers also used passive DNS records to search for Glupteba domains and hosts, and studied the set of TLS certificates used by the malware to better understand the botnet’s infrastructure.
Recent Findings and Increased Complexity
The investigation identified 15 Bitcoin addresses used in four Glupteba campaigns, the latest of which began in June 2022—six months after Google’s operation. This campaign is still active and uses more Bitcoin addresses than previous ones, making the botnet even more resilient.
Glupteba campaigns from 2019 to 2022 have become noticeably more complex. The most “productive” address found had 11 transactions and interacted with 1,197 malware samples, with its last activity recorded on November 8, 2022. Additionally, the number of Tor services used by the botnet as command servers has increased tenfold compared to the 2021 campaign.
Nozomi also reports mass domain registrations for Glupteba, with the latest observed on November 22, 2022, as detected through Passive DNS data.
Conclusion
Despite Google’s efforts, Glupteba has proven highly resilient, leveraging blockchain technology and a decentralized infrastructure to continue its operations. The botnet’s ongoing evolution and increased complexity highlight the challenges in combating such threats on a global scale.