Thought leadership. Threat analysis. Cybersecurity news and alerts.
Emerging Threat: Blockchain-Enabled Botnet
Google, together with Internet infrastructure providers and hosting providers, recently disrupted the operation of a blockchain-enabled botnet, taking down the operation’s servers – for now.
In partnership with Internet infrastructure providers and hosting providers such as Cloudflare, Google said it has taken down the servers of the Glupteba botnet.
Glupteba is a malicious software (malware) that has been around for less than a decade. Through the years, this malware uses many common cybercrime tricks. Similar to other malware, Glupteba is a zombie malware, also known as bot (short for software robot), that can be controlled remotely.
The group being Glupteba also operates a botnet – a group of computer devices each infected with the Glupteba malware and hijacked to carry out various scams and cyberattacks.
In the blog post “New action to combat cyber crime”, Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, said Glupteba botnet currently hijacked approximately one million Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day.
“Botnets are a real threat to Internet users, and require the efforts of industry and law enforcement to deter them,” Hansen and Prado said.
In another blog post “Disrupting the Glupteba operation”, security researchers Shane Huntley and Luca Nagy from Google Threat Analysis Group said that individuals operating the Glupteba botnet offered multiple online services, including selling access to virtual machines loaded with stolen credentials, proxy access, and selling credit card numbers to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.
Computer devices that form part of the Glupteba botnet are also used for unauthorized cryptocurrency mining, enabling the group behind this malware to earn cryptocoins, while owners of hijacked computer devices unknowingly pay the high electric bills resulting from the cryptocurrency mining.
Glupteba malware distributes itself automatically across victims’ networks via two different variants of the ETERNALBLUE exploit – a Windows exploit used in the 2017 WannaCry ransomware attack. ETERNALBLUE exploits outdated computer devices. Glupteba has also been known to exploit unprotected and outdated popular home and small business routers.
The group behind Glupteba often hides its zombie malware behind pirated software. Computer devices, even those patched against ETERNALBLUE, are attacked by Glupteba malware via pirated software from well-known piracy sites.
While Glupteba has been known to use many common cybercrime tricks, it’s known for using the Bitcoin blockchain for its malicious activities. Just like in the Cold War era when spies communicated using the “Personals” section in a print newspaper, the group behind the Glupteba botnet communicates using the Bitcoin blockchain.
“Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks,” security researcher Paul Ducklin from SophosLabs said in the write-up "Glupteba – the malware that gets secret messages from the Bitcoin blockchain".
Ducklin from SophosLabs added, “Bitcoin ‘transactions’ don’t actually have to be about money – they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.”
Security researchers from SophosLabs decrypted the secret message “venoco___ol.com” in one of the Bitcoin wallets used by the group behind Glupteba. This secret message means that the new command-and-control server used by the Glupteba is moved to venoco___ol.com.
“The current command-and-control servers used by the crooks, known as C2 servers or C&Cs, might get found out and blocked or killed off at any moment, so zombie malware often includes a method for using an otherwise innocent source of data for updates,” Ducklin added. “After all, to tell a bot to switch from one C&C server to another, you typically don’t need to send out much more than new domain name or IP number, and there are lots of public messaging systems that make it easy to share short snippets of data like that.”
Security researchers Huntley and Nagy from Google Threat Analysis Group said that the group behind Glupteba is likely to attempt to regain control of the Glupteba botnet by using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.
Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, meanwhile, admitted that taking down the command and control infrastructure of Glupteba isn’t the end game for the group behind Glupteba. Before the U.S. District Court for the Southern District of New York, Google filed the first lawsuit against a blockchain-enabled botnet, in particular, suing two named individuals and 15 unidentified individuals.
“However, due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users,” Hansen and Prado said.
Best Practices to Mitigate the Risks
Here are some of the cybersecurity best practices to protect your organization’s computer devices from being hijacked as part of a botnet like the Glupteba botnet:
Steve E. Driz, I.S.P., ITCP