It’s alive and kicking! The Glupteba botnet malware—that Google disrupted in 2021—is still prevalent. As per recent findings, the Glupteba trojan is actively leveraging blockchain technology to launch cyberattacks.
After its takedown announcement by Google in December 2021, the blockchain-enabled botnet took about six months to build a new large-scale campaign from scratch and distribute it in the wild.
Glubteba returns
Nozomi researchers downloaded over 1500 Glupteba samples from VirusTotal to extract wallet addresses and decrypt transaction payload data using keys associated with the malware.
- The malware operators are setting up many fallback addresses to resist takedowns, following a similar redundancy approach.
- Its domain registrations and bitcoin addresses have grown massively since the 2021 campaign.
- Experts found at least five different merchants and exchanges that were used to fund the Glupteba addresses since 2019.
Upscaling of Glupteba operations
Researchers found 15 Glupteba bitcoin addresses used in four different campaigns, spawning over 4 years.
- The first wave seems to have started in June 2019 and the operators used only one single Bitcoin address to distribute the malicious domains.
- In the second wave, the operators were seen using two Bitcoin addresses to distribute a potential testing domain. This wave started in April 2020.
- The third campaign, which started in November 2021, leveraged a number of TOR hidden services as C2 servers.
- The latest wave that began in June used a significant number of malicious bitcoin addresses. There was a tenfold increase in TOR hidden services being used as C2 servers since the 2021 campaign.
Conclusion
Glupteba’s use of blockchain technology by cybercriminals as a resilience mechanism is notable and alert-worthy to cybersecurity experts globally. The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions. Organizations are recommended to monitor DNS logs and keep the antivirus software up to date to help prevent a potential Glupteba infection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_367579994.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/907f_shutterstock_1996389959.jpeg)
