"Glupteba Malware Is Back in Action After Google Disruption"

The Glupteba malware botnet has reemerged, infecting devices throughout the globe after Google halted its operation about a year ago. Google was able to disrupt the blockchain-enabled botnet in December 2021 by obtaining court orders to seize control of the botnet's infrastructure and filing complaints against two Russian operators. However, Nozomi currently says that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples indicate a continuous, large-scale Glupteba campaign that began in June 2022. Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows and Internet of Things (IoT) devices. These proxies are eventually offered to other cybercriminals as "residential proxies." The malware is primarily distributed via malvertising on Pay-Per-Install (PPI) networks and Traffic Distribution Systems (TDS), which push installers masquerading as free software, videos, and movies. Glupteba exploits the Bitcoin blockchain to evade disruption by obtaining updated lists of command-and-control (C2) servers it should contact to execute commands. Clients of the botnet acquire the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to locate an AES-encrypted address. This article continues to discuss the reemergence of the Glupteba malware botnet.

Bleeping Computer reports "Glupteba Malware Is Back in Action After Google Disruption"