Google Disrupts Blockchain-based Glupteba Botnet; Sues Russian Hackers

DEC 10, 2021

Google on Tuesday said it took steps to disrupt the operations of a sophisticated "multi-component" botnet called Glupteba that approximately infected more than one million Windows computers across the globe and stored its command-and-control server addresses on Bitcoin's blockchain as a resilience mechanism.

As part of the efforts, Google's Threat Analysis Group (TAG) said it partnered with the CyberCrime Investigation Group over the past year to terminate around 63 million Google Docs that were observed to have distributed the malware, alongside 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts that were associated with its distribution.

Google TAG further said it worked with internet infrastructure providers and hosting providers, such as CloudFlare, to dismantle the malware by taking down servers and placing interstitial warning pages in front of the malicious domains.

In tandem, the internet giant also announced a lawsuit against two Russian individuals, Dmitry Starovikov and Alexander Filippov, who are alleged to be responsible for managing the botnet alongside 15 unnamed defendants, calling the enterprise a "modern technological and borderless incarnation of organized crime."

"Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices," TAG researchers Shane Huntley and Luca Nagy said, with the botnet observed targeting victims worldwide, including the U.S., India, Brazil, and Southeast Asia.

Glupteba was first publicly documented by Slovak internet security company ESET in 2011. Last year, cybersecurity firm Sophos published a report on the dropper, noting it "was able to continuously thwart efforts at removing it from an infected machine," adding "Glupteba also takes a variety of approaches to lay low and avoid being noticed."