Google announces lawsuit, technical action against blockchain botnet Glupteba

Google said the botnet involves approximately one million compromised Windows devices worldwide.
Written by Jonathan Greig, Contributor

Google announced this morning that it disrupted the command and control infrastructure of Russia-based Glupteba, a blockchain-backed botnet being used to target Windows machines. 

Google vice president of security Royal Hansen and general counsel Halimah DeLaine Prado wrote in a blog post on Tuesday that the company's Threat Analysis Group had been tracking Glupteba for months before taking technical and legal actions against the group. 

Google filed a lawsuit against the blockchain-enabled botnet -- litigation they called the first of its kind -- hoping to "create legal liability for the botnet operators, and help deter future activity."

"After a thorough investigation, we determined that the Glupteba botnet currently involves approximately one million compromised Windows devices worldwide, and, at times, grows at a rate of thousands of new devices per day," the two wrote. 

"Glupteba is notorious for stealing users' credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people's internet traffic through infected machines and routers."

Google noted that while they were able to disrupt key Glupteba command and control infrastructure, the actions may prove to be temporary due to the group's "sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity."

Google believes the legal action will make it harder for the group to take advantage of other devices. The lawsuit names Dmitry Starovikov and Alexander Filippov, noting that other unknown actors are involved. 

The lawsuit was filed in the Southern District of New York. Starovikov and Filippov are being sued for computer fraud and abuse, trademark infringement, and more. Google also filed for a temporary restraining order, an attempt to "create real legal liability for the operators."

But Google was also honest about the fact that the group's use of blockchain technology made the botnet resilient. They also noted that more cybercrime organizations are taking advantage of blockchain technology, which allows botnets to recover more quickly because of their decentralized nature. 

Shane Huntley and Luca Nagy, members of Google's Threat Analysis Group (TAG), explained in a blog post that "TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil, Vietnam, and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS)."

TAG and others at Google terminated around 63 million Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with Glupteba distribution. About 3.5 million users were warned before downloading a malicious file through Google Safe Browsing warnings, according to Huntley and Nagy. 

As part of the investigation, Google used Chainalysis products and investigative services to help understand the botnet. 

Erin Plante, Chainalysis senior director of investigative services, told ZDNet that the botnet has two main cryptocurrency nexuses: cryptojacking and a previously unknown tactic used to evade shutdown. 

She added that the investigation revealed cryptocurrency transactions originating in Federation Tower East, a luxury office building in Moscow where many cryptocurrency businesses known to launder criminal funds are headquartered. 

Plante explained that Glupteba's operators used the machines they compromised for several criminal schemes, including utilizing their computing power to mine cryptocurrency. 

According to Plante, Glupteba also used the Bitcoin blockchain to encode updated command-and-control servers (C2) into the Op_Returns of Bitcoin transactions. This means that whenever one of Glupteba's C2 servers was shut down, it could simply scan the blockchain to find the new C2 server domain address, which was then hidden amongst the hundreds of thousands of daily Bitcoin transactions worldwide.

Plante said this was the first known case of a botnet using this approach: "This case shows that cybersecurity teams at virtually any company that could be a target for cybercriminals must understand cryptocurrency and blockchain analysis in order to stay ahead of cybercriminals."

Editorial standards