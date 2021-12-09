



Google infected more than a million Windows computers around the world on Tuesday and stored its commands and control server addresses in the Bitcoin blockchain as a restoring force, a sophisticated “multi-component” called Glupteba. The mechanism that stated that it had taken steps to interfere with the operation of the botnet.

As part of its efforts, Google’s Threat Analysis Group (TAG) has partnered with the Cybercrime Investigation Group over the past year to deliver malware, along with 1,183 Google accounts and 908 cloud projects, about 6,300. Announced that it will end 10,000 Google Docs. 870 Google Ads accounts associated with the distribution.

Google TAG says it has worked with Internet infrastructure providers and hosting providers such as CloudFlare to dismantle the malware by shutting down the server and placing an intrusive warning page in front of the malicious domain.

At the same time, the Internet giant has issued a proceeding against two Russians, Dmitry Starobikov and Alexander Filippov, who are allegedly responsible for managing the botnet with 15 unnamed defendants. “”

“Glupteba is known for stealing user credentials and cookies, mining cryptocurrencies on infected hosts, and deploying and operating proxy components targeting Windows systems and IoT devices,” TAG’s research. Shane Huntley and Luca Nagy said that botnets are targeting victims around the world, including the United States. , India, Brazil, and Southeast Asia.

Glupteba was first published in 2011 by Slovak internet security company ESET. Last year, cybersecurity company Sophos published a report on the eyedropper. Various approaches to lowering yourself and avoid being noticed. “

Disseminated primarily through sketchy third-party software and online movie streaming sites, modular botnets are free software and YouTube videos that, after installation, can be adjusted to take advantage of unauthorized access to the device to acquire additional components. Disguise as. Number of crime schemes including:

Steal personal account information and sell access to third parties through a portal called “Dont”[.]Sell ​​”farm” credit cards to sell unauthorized access to devices for use as residential proxies through “AWM Proxy” to promote fraudulent purchases from Google Ads and other Google services[.]Net to hide the activity of malicious people “Deliver destructive pop-up ads on compromised machines and hijack the computing power of devices to mine cryptocurrencies

Interestingly, however, instead of selling the stolen credentials directly to other criminal customers, the Glupteba operator can log in with a siphoned username and password in a web browser to log in to these. I created an access through a virtual machine with an account preloaded.

“Customers at Dont.farm pay Grupteba Enterprise in exchange for the ability to access a browser that is already logged in to the victim’s stolen Google account,” the company claimed. “Once access to your account is granted,[.]Farm customers are free to use their account without the knowledge or permission of the actual account owner, such as purchasing an ad or launching a fraudulent advertising campaign. “

The downloaded module incorporates a means of hiding it from detection by antivirus solutions and is designed to execute arbitrary commands pushed by an attacker-controlled server. Glupteba is also noteworthy in the fact that unlike other traditional botnets, malware uses the Bitcoin blockchain as its backup command and control (C2) system.

Specifically, the malware owns 3 rather than relying solely on a list of pre-determined disposable domains that are hard-coded by the malware or obtained using a domain generation algorithm (DGA). It is programmed to search the public Bitcoin blockchain for transactions that contain one wallet address. A threat actor for fetching encrypted C2 server addresses.

“Unfortunately, the use of Glupteba’s blockchain technology as a restore mechanism is noteworthy here and is becoming a more common practice among cybercriminal organizations,” said Google’s Royal Hansen and Halimah DeLaine Prado. “The decentralized nature of the blockchain makes it much more difficult to shut down because botnets can recover more quickly from interruptions.”

In addition, the tech giant explained in a proceeding that cybercriminal organizations maintain an online presence in “Voltronwork.”[.]”com” actively recruits developers through Google Ads jobs to “support websites, transactions, and overall operations.”

The legal move has seized 42 domains used by Microsoft’s China-based nickel hacking groups (aka APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, Vixen Panda) and targeted servers belonging to government agencies. It will be the day after it was revealed that it was done. Think tanks, and human rights groups in the United States and 28 other countries around the world.

