After tracking the activities of the Glupteba botnet for several years, Google has made two moves to disrupt the botnet’s operations, including filing a lawsuit against the alleged operators, taking down servers used by the botnet, and disabling more than 100 Google accounts associated with it.
The Glupteba botnet has included more than a million infected machines and it is part of a larger cybercrime enterprise that involves credential theft, credit card fraud, cryptomining, and other malicious activities. Google researchers have been following the botnet’s rise, and a few months ago discovered some information in Glupteba binaries that led to a deeper investigation and the takedown effort and lawsuit.
“While analyzing Glupteba binaries, our team identified a few containing a git repository URL: “git.voltronwork.com”. This finding sparked an investigation that led us to identify, with high confidence, multiple online services offered by the individuals operating the Glupteba botnet. These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads,” Shane Huntley and Luca Nagy of the Google Threat Analysis Group said.
The lawsuit alleges that two Russian men, Dmitry Starovikov and Alexander Filippov, operated the botnet, with help from other unnamed defendants. Google alleges that the operators’ schemes infringed on the company’s trademarks, and violated the Computer Fraud and Abuse Act, the Racketeering Influenced and Corrupt Organizations Act and other U.S. statutes.
The Glupteba botnet has some unique characteristics that have made it particularly resilient and difficult to disrupt. The main difference between Glupteba and other bot networks is that Glupteba has backup command-and-control mechanisms located on the Bitcoin blockchain that are designed to serve as failsafes if the main C2 servers are offline.
“Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations."
“Unlike conventional botnets, the Glupteba botnet does not rely solely on predetermined domains to ensure its survival. Instead, when the botnet’s C2 server is interrupted, Glupteba malware is hard-coded to ‘search’ the public Bitcoin blockchain for transactions involving three specific Bitcoin addresses that are controlled by the Glupteba Enterprise,” the lawsuit says.
“From time to time, the Glupteba Enterprise executes transactions in those addresses, and as part of those transactions, the Glupteba Enterprise leaves in the blockchain the location of the domain for a back- up C2 Server.”
One of the key money making avenues for the Glupteba operators is the sale of access to Google accounts. After infecting a new machine–usually through a fake download link for an app–the malware will steal the victim’s Google account credentials and send them back to the C2 servers. Rather than selling those stolen credentials directly to other criminals, the Glupteba operators set up a virtual machine, load the credentials for a given account into a browser on that VM, and then sell access to the account through a site called Dont.farm.
“Dont.farm’s customers pay the Glupteba Enterprise in exchange for the ability to access a browser that is already logged into a victim’s stolen Google account. Once granted access to the account, the Dont.farm customer has free rein to use that account however they desire, including buying advertisements and launching fraudulent ad campaigns, all without the true account owner’s knowledge or authorization,” the lawsuit says.
The Glupteba operators also allegedly ran credit card fraud schemes and ad fraud operations using Google AdWords, as well as malicious cryptomining operations, taking advantage of the processing power of infected machines.
“Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations. The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it,” said Royal Hansen, vice president of security, and Halimah DeLaine Prado, general counsel at Google.
We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet.