Glupteba Malware has Returned After Being Disrupted by Google

After nearly a year of being disrupted by Google, the Glupteba malware botnet has again become active, infecting devices worldwide. As a result of Google’s efforts, the blockchain-enabled botnet could be seriously disrupted in December 2021 by securing court orders for control of its infrastructure as well as filing legal claims against two Russian operators. 

Based on Nozomi’s analysis, blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples, there is a new, large-scale campaign of Glupteba that started in May 2022 and continues to be conducted today. 

Blockchain as a hiding place

The virus Glupteba is modular and designed using blockchain technology. It aims to mine cryptocurrencies, steal user credentials and cookies, and deploy proxy servers on Windows and IoT systems. A large percentage of the malware is distributed through malvertising on a pay-per-install (PPI) network or traffic distribution system (TDS) pushing installers disguised as free software, videos, and movies by cybercriminals, after which they are sold to other cybercriminals as ‘residential proxies.’ 

As part of its evasion strategy, Glupteba utilizes the Bitcoin blockchain to obtain updated lists of command and control servers so that it can contact them to execute commands. 

A discover function in the botnet’s clients allows them to find the address of the C2 server in an encrypted format. With this method, they enumerate the servers of Bitcoin wallets, retrieve their transactions, and then parse them to find an AES-encrypted address in an encoded format. Since Glupteba has employed this approach for many years, they offer a resilient stance against attacks. 

There is no way to wipe out blockchain transactions, so C2 address takedown efforts have a limited impact on the botnet since blockchain transactions cannot be erased. Additionally, law enforcement cannot plant payloads onto the controller address of Bitcoin without a Bitcoin private key. It means there can be no sudden botnet takeovers or global deactivations, like what happened to Emotet in early 2021. 

It is pertinent to note that Bitcoin is a public blockchain, which means anyone is entitled to access it and scrutinize transactions to gather information. 

It was reported by Nozomi that Glupteba continues to use blockchain in the same manner as it used years ago. Therefore, it was only a matter of scanning the whole blockchain to reveal hidden C2 domains within the network. 

Tremendous effort was put into the process, which involved the scrutiny of more than 1,500 Glupteba samples uploaded to VirusTotal. Several samples were analyzed so that wallet addresses could be extracted and encryption keys associated with the malware could be used to decrypt transaction payload data. 

Further, Nozomi made use of passive DNS records to find domains and hosts associated with Glupteba. 

The team examined the latest set of TLS certificates issued by the malware to unearth more information about the infrastructure the malware relies upon. 

An investigation by Nozomi identified 15 Bitcoin addresses that participated in the Glupteba campaign four times. This was the most recent one starting in June 2022, six months after Google disrupted the campaign. It is still in the midst of this campaign. 

The botnet is now even more resilient because it uses more Bitcoin addresses than ever.
As a result of similar redundancy efforts, the number of TOR hidden services used as C2 servers has increased 10-fold since the 2021 campaign, following the same model. 

A particularly prolific address had 11 transactions over the past year, and more than 1,197 samples were connected to it. The last activity occurred on 11/8/2022, which made it the most active address. Also, Nozomi reports that many Glupteba domain registrations have been discovered in passive DNS data since November 22, 2022. 

Based on the information provided above, it is obvious that the Glupteba botnet has struck back at the scene and is again in attack mode. This organization is now much larger than it once was and has the potential to become even more resilient as a result. Because of the number of fallback addresses, it has set up, it is resisting any takedown attempts by researchers and law enforcement agencies due to their tightening up of security.