Skip to main content

Disrupting the Glupteba operation

Google TAG actively monitors threat actors and the evolution of their tactics and techniques. We use our research to continuously improve the safety and security of our products and share this intelligence with the community to benefit the internet as a whole.

As announced today, Google has taken action to disrupt the operations of Glupteba, a multi-component botnet targeting Windows computers. We believe this action will have a significant impact on Glupteba's operations. However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.

Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil and Southeast Asia.

The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS). For a period of time, we observed thousands of instances of malicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack download which delivers a variant of Glupteba to users instead of the promised software.

Example cracked software download site distributing Glupteba

Example cracked software download site distributing Glupteba

While analyzing Glupteba binaries, our team identified a few containing a git repository URL: “git.voltronwork.com”. This finding sparked an investigation that led us to identify, with high confidence, multiple online services offered by the individuals operating the Glupteba botnet. These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.

Example of a cryptocurrency scam uploaded to Google Ads and by Glupteba services

Example of a cryptocurrency scam uploaded to Google Ads and by Glupteba services

This past year, TAG has been collaborating with Google’s CyberCrime Investigation Group to disrupt Glupteba activity involving Google services. We’ve terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution. Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe Browsing warnings.

In the last few days, our team partnered with Internet infrastructure providers and hosting providers, including CloudFlare, to disrupt Glupteba’s operation by taking down servers and placing warning interstitial pages in front of the malicious domain names. During this time, an additional 130 Google accounts associated with this operation were terminated.

Parallel to the analysis, tracking, and technical disruption of this botnet, Google has filed a lawsuit against two individuals believed to be located in Russia for operating the Glupteba Botnet and its various criminal schemes. Google is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, and tortious interference of business relationships, and unjust enrichment.

While these actions may not completely stop Glupteba, TAG estimates that combined efforts will materially affect the actor’s ability to conduct future operations.

Glupteba’s C2 Backup Mechanism

The command and control (C2) communication for this botnet uses HTTPS to communicate commands and binary updates between the control servers and infected systems. To add resilience to their infrastructure, the operators have also implemented a backup mechanism using the Bitcoin blockchain. In the event that the main C2 servers do not respond, the infected systems can retrieve backup domains encrypted in the latest transaction from the following bitcoin wallet addresses:

  • '1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1' [1]
  • '15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6’ [2]
  • '1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97' [3]

The following 32 byte AES keys for decryption are hard coded in the binaries:

  • 'd8727a0e9da3e98b2e4e14ce5a6cf33ef26c6231562a3393ca465629d66503cf'
  • ‘1bd83f6ed9bb578502bfbb70dd150d286716e38f7eb293152a554460e9223536’

The blockchain transaction’s OP_RETURN data can be decrypted using AES-256 GCM to provide a backup command and control domain name. The first 12 bytes of the OP_RETURN contains the IV, the last 16 bytes the GCM tag, while the middle section is the AES-256 GCM encrypted domain. Full details of Glupteba’s network protocol can be found in this report from 2020, the following Python script illustrates how one can decrypt an encrypted domain name:

Python script

IOCs

Recent domains used for command and control:

  • nisdably[.]com
  • runmodes[.]com
  • yturu[.]com
  • retoti[.]com
  • trumops[.]com
  • evocterm[.]com
  • iceanedy[.]com
  • ninhaine[.]com
  • anuanage[.]info

Recent sha256 hashes of malware samples:

  • df84d3e83b4105f9178e518ca69e1a2ec3116d3223003857d892b8a6f64b05ba
  • eae4968682064af4ae6caa7fff78954755537a348dce77998e52434ccf9258a2
  • a2fd759ee5c470da57d8348985dc34348ccaff3a8b1f5fa4a87e549970eeb406
  • d8a54d4b9035c95b8178d25df0c8012cf0eedc118089001ac21b8803bb8311f4
  • c3f257224049584bd80a37c5c22994e2f6facace7f7fb5c848a86be03b578ee8
  • 8632d2ac6e01b6e47f8168b8774a2c9b5fafaa2470d4e780f46b20422bc13047
  • 03d2771d83c50cc5cdcbf530f81cffc918b71111b1492ccfdcefb355fb62e025
  • e673ce1112ee159960f1b7fed124c108b218d6e5aacbcb76f93d29d61bd820ed
  • 8ef882a44344497ef5b784965b36272a27f8eabbcbcea90274518870b13007a0
  • 79616f9be5b583cefc8a48142f11ae8caf737be07306e196a83bb0c3537ccb3e
  • db84d13d7dbba245736c9a74fc41a64e6bd66a16c1b44055bd0447d2ae30b614

by Shane HuntleyThreat Analysis Group via The Keyword

Comments

Post a Comment

Popular posts from this blog

certain keys on my keyboard dont work when "cold"

Hi guys, i have a Lenovo Y520-15IKBN (80WK) and certain keys on the keyboard don't work (e,g,h,8,9,Fn...) but only when the weather is cold. for example in the winter it used to work after certain amount of time when i first boot the laptop and stops working when i stop using it for a while, but now that the weather is hot it works just fine except for the first couple of minutes or when its colder. of course i do realise that it has nothing to do with the outside weather but with the temperature of the computer itself. can someone explain to me why this is happening and how it should be fixed as i cannot take it to the tech service until july even though it's still under warranty because i need it for school. ps: an external keyboard works fine. Submitted April 29, 2018 at 03:35PM by AMmej https://ift.tt/2KiQg05
Post a Comment
Read more

Old PC with a Foxconn n15235 motherboard needs drivers! Help!!

So my Pc corrupted and I had to fresh install windows on it, but now its missing 3 drivers and one of them is for the Ethernet controller! I've tried searching everywhere for the windows 7 drivers but all I seem to find are some dodgey programs saying they will install it for me. Problem is without the ethernet driver I can't bloody connect to the internet. I've been using a USB to try get some drivers on there, but they just end up being useless programmes . I'm also a bit of a noob at these things, I don't understand where to find the names of things in my PC, I've opened it up but I don't understand whats significant and what isnt. If someone has the drivers and can teach me how to install them I'd be very appreciative! Submitted April 29, 2018 at 02:47PM by darrilsteady https://ift.tt/2r76xMZ
Post a Comment
Read more