Man typing keyboard with virus warning on screen showing cryptojacking botnet

Google Disrupts Glupteba Cryptojacking Botnet With Removal of Hosted Ads, Documents and Accounts, & Notifications to Web Hosts

A pernicious botnet used for cryptojacking has taken a major blow thanks to Google, whose free cloud-based services it relied on to propagate. The company has identified and removed thousands of accounts, hosted files and ad accounts that were being used to spread malicious files.

The botnet, Glupteba, has been operating for some months and was thought to be compromising thousands of people per day at its peak. The cryptojacking botnet quietly installs coin miners on Windows PCs and attempts to steal login credentials and authentication cookies. It spread via Google advertisements promising software cracks and phishing emails linking to malicious files hosted with Google Docs.

Notorious cryptomining and credential theft botnet crippled

Google cautions that though the Glupteba botnet’s operations have been disrupted, it is not out of commission. The company took action on its own to remove elements that used Google resources to attack new victims, but it would take a law enforcement effort to “hack back” and take down the botnet’s hardware resources. Google led off its announcement by warning that the operators would likely regroup and develop alternate distribution mechanisms.

But, at least for the moment, the cryptojacking botnet should at least be significantly slowed down. Glupteba has been observed compromising machines all over the world, and is thought to have infected about one million devices since 2020.

Once on a target device, the Glupteba malware hides in the background and looks to steal credentials while also hogging system resources for cryptomining. The botnet is primarily fed via malicious websites that promise downloads of cracked commercial software, but instead install Glupteba when the user clicks on the download link.

Researchers at Google tracked Glupteba to a git repository that indicates it is being operated by an experienced group of cyber criminals; the suspects were also tied to the sale of credit card numbers and stolen login credentials, including illicit access to proxy servers. Some of the credit card numbers were in turn reportedly being used to purchase malicious advertising campaigns via hundreds of Google Ads accounts.

The cryptojacking crew were also apparently heavy users of Google’s free cloud hosting services. The company said that it identified 1,183 Google Accounts and 908 Cloud Projects hosting malicious files linked to the group, and a staggering total of about 63 million Google Docs with malicious elements linking to the Glupteba malware.

In addition to removing these internal files, Google said that it reached out to web hosts (such as Cloudflare) and advised them of malicious sites containing malware. These service providers have reportedly begun taking down some of these sites and servers, and putting interstitial warning pages in front of some indicating that they may be harmful.

While Google cannot “hack back” against malicious servers and has reached the extent of its legal action in contacting ISPs and hosts, it did some research into the Glupteba command and control system and found that it has a redundant Bitcoin blockchain backup system meant to route traffic to alternate servers if the main ones are taken down. Given how long the cryptojacking malware has been in circulation and the rate of success the perpetrators have had, it is reasonable to expect that they will eventually regroup with a new system of backbone servers supporting the botnet.

Permanent removal now moves to the hand of formal law enforcement investigations, but Google also reports filing lawsuits against two individuals in Russia it believes to be associated with the botnet. The two set up Google email addresses using a server that was also identified as part of the Glupteba infrastructure. Google has also connected the two men to business addresses in the Russian Federation Tower, which has been connected to other cyber crime operations in the past.

Highly successful cryptojacking malware likely to remain a threat

Assuming that the perpetrators are indeed in Russia and are sophisticated enough to have robust backup systems in place, it is quite likely that Glupteba will eventually return to its cryptojacking activity. Law enforcement actions against individuals in Russia are always difficult and have a low likelihood of success, as the Putin government will not extradite these criminals and does not appear especially motivated to prosecute them.

The move reveals that major tech platforms are taking substantial action to police their own services for misuse of their resources, however, and are also sharing intelligence they gather with other entities. Microsoft did something similar recently in scrubbing a hacking group believed to be based in China from its services, passing on information it gathered internally about the attackers to ISPs and government agencies.

Researchers at Google tracked Glupteba to a git repository that indicates it is being operated by an experienced group of #cybercriminals. #Cryptojacking #botnet thought to have infected about one million devices since 2020. #cybersecurity #respectdataClick to Tweet

While Glupteba has thus far been used only for cryptojacking and stealing credentials, some security analysts are concerned that if it grows big enough it might pivot to becoming a distributed denial of service (DDoS) or ransomware botnet.