On 7^th Dec 2021 google announced that they have stopped botnet Gluteba, a botnet that has spread malware around a million-windows device using a bitcoin block chain.

“Google has taken action to disrupt the operations of Glupteba, a multi-component botnet targeting Windows computers. We believe this action will have a significant impact on Glupteba’s operations. However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.” ” said Google Threat Analysis Group’s Shane Huntley and Luca Nagy today.

The American multinational technology company stated that the threat actors used the botnet to mine cryptocurrencies on victim’s computer, steal user credentials and cookies deploy and operate proxy components targeting Windows systems and IoT devices. They have also seen the botnet targeting victims from US, India, Brazil and Southeast Asia.

In a civil case compliant filed against two Russian nations Dmitry Staroviko, Alexander Filippov as well as 15 unknown individuals, Goggle revealed that Glupteba has infected more than one million machines worldwide. Google claims that the defendants used the botnet to steal victim’s accounts information to sell to third parties and mine cryptocurrencies on the victim’s computer.

Google mention some of the online services offered by Glupteba botnet’s operators, “These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.”

Gluteba’s use blockchain technology to protect themselves and bypass traditional tools that could disrupts malicious activities. “The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shut down. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it.” Said Google’s Vice President for Security Royal Hansen and General Counsel Halimah DeLaine Prado.

Google was able to take down the services used by the attackers which was used control the network “We’ve terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution. Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe Browsing warnings.”

Reference

• https://blog.google/technology/safety-security/new-action-combat-cyber-crime/
• https://blog.google/threat-analysis-group/disrupting-glupteba-operation/