Working with several internet infrastructure and hosting providers, including Cloudflare, Google disrupted the operation of an aggressive Windows botnet known as Glupteba that was being distributed through fake ads. It also served itself as a distribution network for additional malware.
In addition, the company filed a lawsuit against two individuals believed to be based in Russia and who play a central role in operating the botnet.
Google's action targeted key command-and-control infrastructure such as servers and domain names used by Glupteba, as well as many rogue accounts on Google's services that were being used to distribute it.
While this is a severe blow to the botnet, whose estimated size is over two million computers, it's unlikely to be its demise because Glupteba has a backup command-and-control (C&C) mechanism that relies on the Bitcoin blockchain. This provides it with resilience against takedown attempts.
"We’ve terminated around 63 million Google docs observed to have distributed Glupteba, 1,183 Google accounts, 908 cloud projects, and 870 Google ads accounts associated with their distribution," researchers with Google's Threat Analysis Group said in a report. "Furthermore, 3.5 million users were warned before downloading a malicious file through Google Safe Browsing warnings."
What is Glupteba?
Glupteba is a Windows malware program with a root-kit component that provides advanced stealth and self-defence capabilities and a variety of additional components or plug-ins that extend its functionality.
These include cryptocurrency mining, stealing passwords and cookies from browsers, spreading over the local network, compromising local MikroTik routers and using them as proxies for malicious traffic, and performing DNS cache poisoning to direct local network users to rogue websites.
Glupteba's feature set allows it to act as a downloader for other malware and there is evidence it has been used to distribute malware for other threat actors. One such example is the Meris DDoS botnet, which is known to abuse MikroTik routers.
The Glupteba dropper, the main component of the malware, is distributed in several ways, but primarily through fake web pages and messages on social media sites that promote pirated versions of popular commercial applications and games.
Malicious ads distributed through advertising networks that link to the malware have also been observed, promoting fake crypto trading apps and other services. The attackers used Google Accounts to post spam comments on YouTube and host docs with links to the malware in Google Docs.
To spread to other systems on the local network, Glupteba uses a plugin that exploits the EternalBlue SMB vulnerability. All communication with the command-and-control servers is achieved through another component that acts as a local proxy.
Upon installation, the dropper uses system scheduled tasks and system tools like certutil to execute itself and establish persistence. It also adds exceptions to Windows Defender for the malware folders, continuously kills the Windows Update process, and deploys two system drivers whose goal is to hide the malware process.
Command-and-control fallback via the Bitcoin blockchain
The botnet comes with command-and-control URLs hardcoded in the binary, but it has a mechanism to update them after installation in case the domains have changed. In addition, there is a failover mechanism that triggers when the botnet client can't reach any of the current C&C domains. In such a case, it will try to extract new domains from the latest transactions in three Bitcoin wallets.
All Bitcoin transactions are recorded on the public Bitcoin blockchain, which is essentially a digital ledger that is distributed to all systems participating in the Bitcoin network. Bitcoin doesn't natively support the concept of transaction notes, because this would add data to all transactions making the blockchain unnecessarily bigger.
However, there is a way to insert a limited amount of arbitrary data (40 bytes) in a Bitcoin transaction by using a field called OP_RETURN. Even though this field was intended for specific use cases, it can technically be used to store anything and is more than enough to store a domain name.
Whenever they want to update the C&C domains, the Glupteba operators can simply initiate a transaction from one of the three wallets and include a new domain name in encrypted form in the transaction's OP_RETURN field. The malware is programmed to search for the latest transaction, take the encrypted OP_RETURN data from it and decrypt it using a hardcoded AES key and then connect to the new domain name.
Since the Bitcoin blockchain can never be disrupted and transaction records are permanent and unmodifiable, even in the absence of any functional C&C servers, the attackers have a way to regain control of the botnet as long as they have control over one of the Bitcoin wallets.
"Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organisations," Google's vice president for security, Royal Hansen, and the company's general counsel, Halimah DeLaine Prado, said in a joint blog post.
"The decentralised nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shut down. We are working closely with industry and government as we combat this type of behaviour, so that even if Glupteba returns, the internet will be better protected against it."
Legal action has precedent
Google filed a complaint in the Southern District of New York against two individuals named Dmitry Starovikov and Alexander Filippov, who are believed to reside in Russia, for computer abuse and fraud, identity fraud, trademark infringement, false advertising, unfair competition and more.
In addition to damages and relief, Google asked for a temporary restraining order as well as a permanent injunction preventing anyone from "assisting, aiding, or abetting any other person or business entity in engaging in or performing any of the activity" described in the complaint.
If granted, such an injunction can help Google and its partners in their efforts to block attackers from using domain names, servers and other services and infrastructure from companies that would have to comply with the injunction.
This strategy of suing botnet operators to secure court orders that would help or speed up infrastructure takedown efforts is not new. Last year, Microsoft filed copyright infringement claims against operators of the Trickbot botnet to obtain a court order that enabled the company and its partners to cut off key infrastructure and severely disrupt the botnet.