Security news that informs and inspires

Google Disrupts Massive CryptBot Malware Operation


A new court order allows Google to take down current and future domains tied to the distribution of the CryptBot infostealer.

Google has obtained a court order allowing it to disrupt the operations of the CryptBot malware, which has infected over 670,000 computers over the last year in order to steal victims' Google Chrome browser data and other sensitive information.

The company has filed litigation against several major distributors of CryptBot, which are believed to be in Pakistan. The court’s ensuing temporary restraining order will allow Google to take down current and future domains tied to the distribution of CryptBot, which it hopes will kneecap new infections and hinder CryptBot’s growth.

“We’re targeting the distributors who are paid to spread malware broadly for users to download and install, which subsequently infects machines and steals user data,” said Mike Trinh, head of litigation advance, and Pierre-Marc Bureau with Google’s threat analysis group in a Wednesday post. “Cybercriminals often operate like businesses, specializing in a particular function, and partner with other criminal specialists to profit off harm to innocent users.”

First discovered in 2019, CryptBot is known for stealing a variety of data from victims, including their browser and social media credentials, browser history, credit cards, cookies and more. This stolen data is then harvested and sold to threat actors for use in data breach campaigns.

A global criminal enterprise supports CryptBot’s operations, with distributors that send out the malware via fake cracked software, which have included modified versions of software packages like Google Earth Pro or Google Chrome. Google’s legal strategy focused on this area, as the complaint was based on computer fraud and abuse and trademark infringement.

These distributors have used various tactics, including using a fake installer of a widely used software piracy tool called KMSPico, as well as compromised websites that appear to offer cracked versions of popular video games. Once users download these packages, the malware is executed.

“Recent CryptBot versions have been designed to specifically target users of Google Chrome, which is where Google’s CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) teams worked to identify the distributors, investigate and take action,” according to Google.

Google has previously disrupted other malware families using legal strategies, including filing a lawsuit against the alleged operators of the Glupteba botnet in 2021. Other companies like Microsoft have also leveraged court orders in the past to take down malicious infrastructure, including phishing domains used in Phosphorus attacks and domains used by North Korean threat actors.

“This litigation is another step forward in holding cybercriminals accountable, by not just targeting those that operate botnets, but also those that profit from malware distribution,” according to Google. “With these, and future actions, we look forward to continuing our ongoing commitment to help protect the safety of online users.”