The Glupteba malware botnet, which Google managed to bring offline exactly a year ago, is back, and seems to be more resilient than before.
Cybersecurity experts at Nozomi found TLS certificate registrations, blockchain transactions, as well as reverse-engineered Glupteba samples, which they say all point to a new, large-scale campaign that seems to have started last spring and is still alive and kicking.
Glupteba is described as a blockchain-enabled, modular malware, whose goal is to mine cryptocurrency on the infected endpoints, as well as steal user credentials and cookies. Furthermore, it is capable of deploying proxies, which the threat actors later sell as “residential proxies” to whoever is willing to pay.
Mining crypto
The malware usually disguises itself as free software, and gets an updated list of C2 servers via the Bitcoin blockchain. As setting up a C2 server isn’t expensive or cumbersome, and the Bitcoin blockchain being immutable as it is, taking the botnet down is quite the challenge.
Still, transactions on the Bitcoin blockchain are public and pseudonymous, meaning anyone could track and analyze them, and possibly conclude who is behind each address or transaction.
So far, Glupteba’s operators are using 15 Bitcoin addresses, with the most recent one being activated in June 2022. That means the reborn version has more addresses than the previous one, making it somewhat more resilient. It was also said that the campaign is still ongoing. Furthermore, there are ten times more TOR hidden services being used as C2 servers. The most active address had 11 transactions, and reached out to 1,197 malware samples.
Glupteba’s previous malware botnet was taken down by Google in December 2021. The company managed to obtain a court order to seize the botnet’s infrastructure. It also filed complaints against two Russian operators, BleepingComputer reminds.
Let’s see how long Glupteba lasts this time around.
- Here's our rundown of the best firewalls at the moment
Via: BleepingComputer