Google TAG Disrupts Blockchain-Enabled BotnetAlso, Google Sues Two Alleged Operators of Glupteba Botnet
A blockchain-enabled botnet operation targeting more than 1 million Microsoft Windows users has been disrupted by Google's Threat Analysis Group, or TAG. The botnet, dubbed Glupteba, has a presence across the U.S., India, Brazil and Southeast Asia, the research team says.
See Also: Case Study: The Road to Zero Trust
Also, Google has filed a lawsuit alleging abuse of Google's services and accounts for cybercriminal activity against two Russian individuals who it says are operators of the botnet.
The Glupteba botnet was first noticed in 2011 by researchers at internet security company ESET. At the time, it was primarily used for spam campaigns, the lawsuit says. But the lawsuit says Glupteba ramped up operations in 2020 and became more prominent in 2021 as it began taking over Windows-based machines and devices.
"The Glupteba malware family is primarily distributed through pay per install networks and via traffic purchased from traffic distribution systems," the Google TAG says. In the past year, TAG says, it observed thousands of instances of malicious Glupteba downloads per day. The botnet generally uses webpages mimicking a software crack download to deliver a variant of Glupteba to unsuspecting users instead of the intended software.
Google's TAG, in collaboration with its CyberCrime Investigation Group and cybersecurity firm CloudFlare, has blocked and terminated more than 63 million Google Docs, 1,183 Google accounts, 908 cloud projects, and 870 Google ad accounts. It also has warned nearly 3.5 million other users about the botnet via its safe browsing feature, says Shane Huntley, director of software engineering and head of the Google Threat Analysis Group.
Even after its successful disruption, Google TAG's security blog says the company estimates that the Glupteba botnet has successfully infected more than 1 million computers and other IoT devices that can be activated at any moment to carry out "a number of other criminal schemes, including large ransomware or DDoS attacks on legitimate businesses or targets of all sizes."
Google is skeptical about the complete disruption of Glupteba's operations. It says: "The operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain."
The botnet also has a feature that allows it to evade traditional takedowns.
TAG says that a conventional botnet-infected device looks for predetermined domain addresses that point to the C2 server. The instructions to locate these domains are hard-coded in the malware installed on the victim's device. If the predetermined domains are taken down by law enforcement agencies or others, the infected devices can no longer receive instructions from the C2 servers and therefore can no longer be operated by the bot controller.
The Glupteba botnet, however, does not rely solely on predetermined domains to ensure its survival, the TAG researchers. They say that when the botnet’s C2 server is interrupted, Glupteba malware is hard-coded to search the public Bitcoin blockchain for transactions involving three specific Bitcoin addresses that are controlled by the Glupteba botnet operators.
TAG researchers say that the operators execute transactions in these addresses and as part of these transactions, the Glupteba operators leave the location of the domain for a new backup C2 server in the blockchain. TAG says the three Bitcoin wallet addresses are:
The operators make use of the OP_RETURN script opcode - which is used to mark a transaction output as invalid - to deliver the new C2 server address, the researchers say.
The OP_RETURN data can be decrypted using AES-256 GCM - in which the first 12 bytes contain the IV, the last 16 bytes the GCM tag, and the middle section the AES-256 GCM encrypted domain. Once these are decoded, the Glupteba malware reassigns the new address for the C2 server and executes commands received from it.
Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, and deploy and operate proxy components targeting Windows systems and IoT devices, the TAG researchers say. A report from cybersecurity firm Sophos in 2020 confirms these capabilities of the malware, calling it "self-concealing" and "security-resistant." Researcher Lucy Nagy discusses in the report Glupteba’s network protocol and other components that make the malware stealthy.
Google Sues Alleged Operators
Google is fighting the battle against the Glupteba botnet operations on two fronts. On the technical front, it has partnered with various cybersecurity firms to enable the botnet's takedown. On the legal front, it has filed a lawsuit in the Southern District of New York against two Russians individuals - Dmitry Starovikov and Alexander Filippov - whom Google alleges are the operators of the botnet.
The two individuals are being sued on six different counts, including violations under the Racketeer Influenced and Corrupt Organizations Act, violations of the Electronic Communications Privacy Act, computer fraud and abuse, trademark infringement, tortious interference of business relationships, and unjust enrichment allegations, according to the complaint.
Google also has filed a temporary restraining order "to bolster [its] technical disruption effort," say Royal Hansen, vice president of security at Google, and Halimah DeLaine Prado, general counsel at Google, in a joint statement released on Tuesday. The statement describes the legal strategy used by Google to counter the Glupteba operations.
U.S. Rep. Michael McCaul, who represents the 10th District of Texas, lauded the initiative. The move demonstrates how the public and private sectors are working in tandem to counter the threats from Russia, he says.
Private sector companies, like @Google and @Microsoft, are stepping up against Russian and PRC hackers. This demonstrates the progress that is being made in the USG and the private sector’s ability to combat the scourge of Russian and CCP hackers. https://t.co/qWFkhEBB1Q— Michael McCaul (@RepMcCaul) December 7, 2021
Google TAG's Huntley agrees that collaboration is immensely helpful. "Serious cybercrime is not an easy problem to solve, but I strongly believe that pressure from technical analysis, coordinated disruption and legal action can make a difference and keep users safer," he says in a series of tweets on Tuesday.
Disruption, But Not Prevention
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Information Security Media Group, "Google’s actions in coordination with other hosting providers have no doubt caused noticeable disruption for Glupteba’s current campaigns," but he says they are not likely to prevent "the perpetrators launching new attack infrastructure by shifting to other less vigilant hosting providers, especially as they have encoded backup C2 server locations onto the Bitcoin blockchain. This provides the group with some infrastructure resiliency as it makes locating all current C2 instances much less predictable."
But identifying the botnet and filing litigation against the individuals involved is an important an outcome, Clements says, adding that the most effective way to stop a threat actor’s operations is handcuffs. Although cybercriminals residing in adversarial nation-states are not likely to be targeted by local law enforcement agencies for crimes committed in foreign countries, he says, the positive identification imposes .long-term risk to the cybercriminals, who could be brought to justice while traveling internationally to jurisdictions where they have committed crimes or that have extradition agreements with other affected countries.