The malicious Glupteba botnet, which Google managed to take offline exactly one year ago, is back and seems more resilient than before.
Nozomi's cybersecurity experts have found records of TLS certificates, blockchain transactions, as well as reverse-engineered Glupteba samples, which they believe point to a new large-scale campaign that seems to have started last spring and is still alive. .
Glupteba is described as modular blockchain-enabled malware, whose purpose is to mine cryptocurrency on infected endpoints, as well as steal user credentials and cookies. Furthermore, it is capable of deploying proxies, which threat actors then sell as "home proxies" to anyone willing to pay.
The malware usually disguises itself as freeware and obtains an updated list of C2 servers via the Bitcoin blockchain. Since setting up a C2 server is not expensive or time consuming, and the Bitcoin blockchain is immutable, taking down the botnet is quite a challenge.
However, transactions on the Bitcoin blockchain are public and pseudonymous, which means that anyone can track and analyze them, ultimately concluding who is behind each address or transaction.
So far, Glupteba operators are using 15 Bitcoin addresses, with the most recent being activated in June 2022. This means that the reborn version has more addresses than the old one, making it a bit more resilient. It was also said that the campaign is still ongoing. Also, there are ten times more hidden TOR services being used as C2 servers. The most active address recorded 11 transactions and reached 1.197 malware samples.
Google removed the previous malicious Glupteba botnet in December 2021. The company successfully obtained a court order to seize the botnet infrastructure. He also filed a complaint against two Russian operators, recalls BleepingComputer.
Let's see how long Glupteba lasts this time.
- Here's our roundup of the best firewalls( opens in a new tab) right now
Via: BleepingComputer (Opens in a new tab)