Six months after being taken down by Google, the Glupteba gang is back into action with improved controls and even more weapons.
Leveraging the blockchain, Glupteba hackers retrieve their wallet addresses, C2 server details, and for others operations. Though this makes the gang’s operations public, it makes it resilient to normal takedowns by law enforcement.
Rebirth of Glupteba Hackers
In December last year, Google took down the operations of Glupteba – a new-age threat actor that leverages the Bitcoin blockchain to perform its malicious operations. Securing the court orders, Google had taken control of the botnet’s infrastructure and even filed complaints against two Russian operators.
Well, this didn’t stop the operators from backing off, as they have now come up with a revamped botnet system. As noted by Nozomi researchers, the latest samples of Glupteba revealed a bunch of new domains, an expanded C2, and other tools to increase its scope in the second iteration.
Usually, the botnet hits Windows devices to mine for cryptocurrency, steal user credentials and deploy proxies on Windows systems – and sell them to other threat actors for using them as residential proxies.
All this while on the Bitcoin blockchain, which the Glupteba uses for retrieving its latest C2 address, wallet addresses, etc. Though everyone can see and scrutinize the transactions happening on blockchain, it’s resilient enough against takedowns, as law enforcement needs Bitcoin’s private key to control the operation.
Recently, Nozomi researchers scanned the entire blockchain and samples to surface the new campaign’s C2 domains, extract wallet addresses and even attempt to decrypt the transaction payload.
They further identified 15 Bitcoin addresses used in four campaigns, with the most recent one being from June 2022. Domain registrations belonging to the Glupteba gang are even huge, with the latest one being on 22nd November 2022. As the campaign is still underway, we might see more details unraveling in the process.