HQ/EMEAFind out how we can help your business
Google disrupted the Glupteba malware a year ago, but the researchers have spotted recent attacks from its operators.
December last year, Google successfully caused massive disruption to the Glupteba blockchain-enabled botnet. The interruption to the botnet’s operation has enabled Google to secure court orders to take over the botnet’s infrastructure and file criminal complaints against a couple of Russian operators.
However, a recent report from the malware’s TLS certificate registrations, blockchain transactions, and reverse-engineered Glupteba samples revealed a massive new campaign from Glupteba operators that was initiated by them last June. Researchers explained that the newly discovered campaign is still operating.
Glupteba malware operators stick to their usual methods of infecting targets.
According to researchers, the Glupteba malware operators continue to utilise the blockchain strategy, which prompted analysts to scan the entire blockchain to identify obfuscated command-and-control domains.
The researchers scoured about 1,500 Glupteba samples in VirusTotal to recover wallet addresses and try to decrypt transaction payload via keys connected to the malware.
Subsequently, the researchers utilised passive DNS records to look for Glupteba domains and hosts. They studied the current set of TLS certificates used by the botnet operators to obtain more information about its infrastructure.
The latest investigation spotted 15 Bitcoin addresses used by the actors in four Glupteba campaigns. The most recent operation after Google’s disruption started last June.
Currently, the new Glupteba campaign utilises more Bitcoin addresses than its past activities, which implies that the botnet could be more resistant to security solutions. Furthermore, the number of TOR hidden services used by the actors as command-and-control servers has increased significantly since their campaigns last year.
The most productive address of the Glupteba operators had 11 transactions and communicated to more than a thousand samples. The researchers registered the address’s latest activity in November’s early days.
As of now, it is apparent that the Glupteba malware has officially returned to the cybercriminal scene. The recent sightings also indicate its greater than its past version. Hence, the botnet today could become more resilient, allowing its operators to resist takedowns from their counterparts.
