Google disrupts Glupteba botnet which was using the Bitcoin blockchain to infect victims

hacker 3342696 1920 1200x600 1
  • Google’s security team has cracked down on Glupteba, a botnet that’s infected millions of machines globally, propagating through the Bitcoin blockchain.
  • The company also sued 17 individuals for their involvement, mostly from Russia, but admitted that by using Bitcoin, the botnet could rise again.

Blockchain technology has been used for all manner of innovative use cases, most of them good. However, it’s not immune to abuse, and alleged Russian hackers have exploited it to spread malware worldwide. Google has cracked down on this ring, whose Glupteba botnet has been propagating through the Bitcoin blockchain and has infected millions of machines around the world.

In a blog post, Google’s VP of Security Royal Hansen revealed that the company had taken action against Glupteba. He pointed out that the botnet had infected approximately one million Windows machines, making it one of the world’s largest botnets. It grows at the rate of thousands of new victims daily, he noted.

The operators of Glupteba have been using it to steal user credentials and cookies, deploy and operate proxy components targeting Windows systems and mine cryptocurrencies on the infected hosts. It has mostly targeted the U.S, Brazil, India and a few other countries in Southeast Asia, but it has a global presence.

Shane Huntley, the director of Google’s Threat Analysis Group, revealed further details in a different blog post, stating:

The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS). For a period of time, we observed thousands of instances of malicious Glupteba downloads per day.

Glupteba uses Bitcoin for evil

Glupteba was using the Bitcoin blockchain, giving it unprecedented resilience. While this makes it hard to take down, it further gives it an ability to quickly recover even if it’s taken down as it was by Google.

Once the communication between the hackers and the botnet is cut off, the network automatically searches for messages posted by hackers with directions on reconnections through the public Bitcoin blockchain. Chainalysis cites this as the first time that a botnet is using such an approach.

Hansen noted:

Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations. The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown.

Glupteba was also using Google resources to spread, and the search engine giant has been forced to take a chunk of these down.

We’ve terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution. Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe Browsing warnings,” the company revealed.

Google also took legal action against 17 actors it believes were behind the botnet. In its filing with the Southern District of New York, it accused two Russians – Alexander Filippov and Dmitry Staroviko – and 15 others of computer fraud, trademark infringement and other charges.

One of the suspects, Filippov was traced to the Russian Federation Tower, a building in Moscow. This week, the New York Times reported that U.S cybercrime investigators had traced several other Bitcoin-related hacking organizations to the same building.