Google has announced it has taken legal and technical action to disrupt operations of the blockchain-enabled botnet known as Glupteba that currently involves nearly 1 million infected Windows machines worldwide.
At times, Google says, it saw the infected network grow by about 1,000 devices per day. Glupteba is known for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers. The botnet was observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia.
The Glupteba malware family is mainly distributed via pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS). According to Google’s Threat Analysis Group (TAG), the team terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution.
As part of the technical action against the botnet, Google says it disrupted botnet’s key command and control infrastructure, which should cripple the botnet, at least temporary.
“Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations. The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it,” Google said.
The company also announced it filed a lawsuit against two Russian nationals (Dmitry Starovikov and Alexander Filippov) and other unknown individuals it believes have created and controlled the botnet over the past few years. The company is suing them in hopes that it “will set a precedent, create legal liability for the botnet operators, and help deter future activity.”