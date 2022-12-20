Nozomi states that the latest and ongoing Glupteba campaign started in June 2022, 6 months after the Google lawsuit.

Nozomi Networks Labs announced that the Glupteba trojan is targeting Windows devices again and shared their latest findings on Glupteba. It is known for using the Bitcoin blockchain to distribute its command and control servers since 2019. It uses blockchain.com and blockstream.info to retrieve Bitcoin transactions.

Disrupted by Google

In late 2021, Google disrupted Glupteba’s operations with a court order to take control of its infrastructure. Google also filed complaints against two Russian operators. Half a year later, in June of 2022, Glupteba emerged once again.

Nozomi states that the backdoor trojan is downloaded via Pay-Per-Install networks in infected installers or software cracks. It allows operators to deploy additional modules once it is active on a system. There are several Glupteba modules designed to exploit vulnerabilities in various Internet of Things appliances.

The botnet uses the Bitcoin blockchain to distribute its Command and Control domains to infected systems, which makes it resilient to takedowns. It also uses the same approach to hide data within the blockchain. During their research, Nozomi managed to identify 15 Glupteba bitcoin addresses spawning over 4 years and it is believed to be 4 different campaigns. Nozomi Networks Labs said,

« The latest and ongoing campaign started in June 2022, 6 months after the Google lawsuit, and this time the number of malicious bitcoin addresses significantly increased. We believe this is due to several factors. First, having more Bitcoin addresses makes security researcher job more complicated. Second, to show that the Google lawsuit did not have a major effect on their Glupteba operations. For this campaign we were not able to find any samples for 3 of the addresses we gathered. We believe these addresses are not made for testing as they distribute some domains found in other Bitcoin addresses for which we found samples. In addition, there was a tenfold increase in TOR hidden service being used as C2 servers since the 2021 campaign. »