Glupteba malware is back in action after Google disruption

The Glupteba malware botnet has sprung back into action, infecting devices worldwide

The Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago.

In December 2021, Google managed to cause a massive disruption to the blockchain-enabled botnet, securing the court orders to take control of the botnet's infrastructure and filing complaints against two Russian operators.

Nozomi now reports that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples show a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing.

Hiding in the blockchain

Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.

These proxies are later sold as 'residential proxies' to other cybercriminals.

The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies.

Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.

The botnet's clients retrieve the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to find an AES encrypted address.

This strategy has been employed by Glupteba for several years now, offering resilience against takedowns.

That's because blockchain transactions cannot be erased, so C2 address takedown efforts have a limited impact on the botnet.

Moreover, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address, so sudden botnet takeovers or global deactivations like the one that impacted Emotet in early 2021 are impossible.

The only downside is that the Bitcoin blockchain is public, so anyone can access it and scrutinize transactions to gather information.

The return of Glupteba

Nozomi reports that Glupteba continues to use the blockchain in the same way, today, so its analysts scanned the entire blockchain to unearth hidden C2 domains.

The effort was immense, involving the scrutiny of 1,500 Glupteba samples uploaded to VirusTotal to extract wallet addresses and attempt to decrypt transaction payload data using keys associated with the malware.

Finally, Nozomi used passive DNS records to hunt for Glupteba domains and hosts and examined the latest set of TLS certificates used by the malware to uncover more information about its infrastructure.

The Nozomi investigation identified 15 Bitcoin addresses used in four Glupteba campaigns, with the most recent one starting in June 2022, six months after Google's disruption. This campaign is still underway.

This campaign uses more Bitcoin addresses than past operations, giving the botnet even more resilience.

Blockchain transaction diagrams. Latest campaign infrastructure on left, and 2019 to 2021 campaigns on right
Blockchain transaction diagrams. From left to right, 2022 (most complex), 2021, 2020, and 2019 campaigns (Nozomi)

Additionally, the number of TOR hidden services used as C2 servers has grown ten times since the 2021 campaign, following a similar redundancy approach.

The most prolific address had 11 transactions and communicated to 1,197 samples, with its last activity being registered on November 8, 2022.

Nozomi also reports many Glupteba domain registrations as recently as November 22, 2022, discovered via passive DNS data.

From the above, it's clear that the Glupteba botnet has returned, and the signs indicate it's more massive than before and potentially even more resilient, setting up a high number of fallback addresses to resist takedowns by researchers and law enforcement.