The operators of the Glupteba botnet resurfaced in June 2022 as a part of a renewed and “upscaled” marketing campaign, months after Google disrupted the malicious exercise.
The continued assault is suggestive of the malware’s resilience within the face of takedowns, cybersecurity firm Nozomi Networks mentioned in a write-up. “As well as, there was a tenfold enhance in TOR hidden providers getting used as C2 servers because the 2021 marketing campaign,” it famous.
The malware, which is distributed by means of fraudulent advertisements or software program cracks, can also be outfitted to retrieve further payloads that allow it to steal credentials, mine cryptocurrencies, and broaden its attain by exploiting vulnerabilities in IoT units from MikroTik and Netgear.
It is also an occasion of an uncommon malware that leverages blockchain as a mechanism for command-and-control (C2) since at the least 2019, rendering its infrastructure immune to takedown efforts as within the case of a conventional server.
Particularly, the botnet is designed to look the general public Bitcoin blockchain for transactions associated to pockets addresses owned by the menace actor in order to fetch the encrypted C2 server handle.
“That is made attainable by the OP_RETURN opcode that permits storage of as much as 80 bytes of arbitrary knowledge throughout the signature script,” the economic and IoT safety agency defined, including the mechanism additionally makes Glupteba arduous to dismantle as “there isn’t any solution to erase nor censor a validated Bitcoin transaction.”
The strategy additionally makes it handy to switch a C2 server ought to it’s taken down, as all that’s wanted for the operators is to publish a brand new transaction from the actor-controlled Bitcoin pockets handle with the encoded up to date server.
In December 2021, Google managed to trigger a major dent to its operations, alongside submitting a lawsuit in opposition to two Russian nationals who oversaw the botnet. Final month, a U.S. court docket dominated in favor of the tech large.
“Whereas Glupteba operators have resumed exercise on some non-Google platforms and IoT units, shining a authorized highlight on the group makes it much less interesting for different prison operations to work with them,” the web behemoth identified in November.
Nozomi Networks, which examined over 1,500 Glupteba samples uploaded to VirusTotal, mentioned it was capable of extract 15 pockets addresses that have been put to make use of by the menace actors relationship all the way in which again to June 19, 2019.
The continued marketing campaign that commenced in June 2022 can also be maybe the most important wave up to now few years, what with the variety of rogue bitcoin addresses leaping to 17, up from 4 in 2021.
A type of addresses, which was first energetic on June 1, 2022, has transacted 11 occasions to this point and is utilized in as many as 1,197 artifacts, making it probably the most broadly used pockets handle. The final transaction was recorded on November 8, 2022.
“Menace actors are more and more leveraging blockchain know-how to launch cyberattacks,” the researchers mentioned. “By benefiting from the distributed and decentralized nature of blockchain, malicious actors can exploit its anonymity for a wide range of assaults, starting from malware propagation to ransomware distribution.”
