Back to Weekly Threat

Glupteba Disrupted by Google

December 22, 2021

By John Rote

On December 2021, Google took action to disrupt Glupteba botnet, a sophisticated botnet which targets Windows machines and protects itself using blockchain technology. Google’s Threat Analysis Group (TAG) took steps to detect and track Glupteba’s malicious activity over time.  The Glupteba botnet involved approximately one million compromised Windows devices worldwide, and at times, grew at a rate of thousands of new devices per day. Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.  It is also offers a group of underground cybercrime-as-a-service offering.

These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit-card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.

Threat actors behind this malware strain are mainly distributing payloads onto targeted devices via pay-per-install (PPI) networks and traffic purchased from traffic distribution systems (TDS) camouflaged as "free, downloadable software, videos, or movies."  After infecting a host, it can mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices, which later get sold as 'residential proxies' to other cybercriminals.  It also has the capability to download other modules.

The downloaded modules, besides incorporating measures to keep it invisible to detection by antivirus solutions, are designed to execute arbitrary commands pushed by an attacker-controlled server. Glupteba is also notable for the fact that unlike other traditional botnets, the malware leverages the Bitcoin blockchain as a backup command-and-control (C2) system.

"Unfortunately, Glupteba's use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations," Google's Royal Hansen and Halimah DeLaine Prado said "The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown."  Unfortunately, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.

Additional Information:
The cryptojacking crew were also apparently heavy users of Google’s free cloud hosting services.  Below are some of the actions Google took to disrupta the Glupteba groups activities:

* Disabled 1,183 Google Accounts associated Glupteba
* Identified 908 Cloud Projects hosting malicious files linked to the group
* Removed 63 million Google Docs with malicious elements linking to the Glupteba malware
* Took over Glupteba's key command and control (C2) infrastructure
* Seized 42 domains used by the China-based Nickel hacking group (aka APT15, Bronze Palace, Ke3Chang, Mirage, Playful Dragon, and Vixen Panda)
* Announced a lawsuit against two Russian individuals and 15 unnamed defendants.

Indicators of Compromise:

* nisdably[.]com
* runmodes[.]com
* yturu[.]com
* retoti[.]com
* trumops[.]com
* evocterm[.]com
* iceanedy[.]com
* ninhaine[.]com
* anuanage[.]info

Malware Sha256 Hashes:
* df84d3e83b4105f9178e518ca69e1a2ec3116d3223003857d892b8a6f64b05ba
* eae4968682064af4ae6caa7fff78954755537a348dce77998e52434ccf9258a2
* a2fd759ee5c470da57d8348985dc34348ccaff3a8b1f5fa4a87e549970eeb406
* d8a54d4b9035c95b8178d25df0c8012cf0eedc118089001ac21b8803bb8311f4
* c3f257224049584bd80a37c5c22994e2f6facace7f7fb5c848a86be03b578ee8
* 8632d2ac6e01b6e47f8168b8774a2c9b5fafaa2470d4e780f46b20422bc13047
* 03d2771d83c50cc5cdcbf530f81cffc918b71111b1492ccfdcefb355fb62e025
* e673ce1112ee159960f1b7fed124c108b218d6e5aacbcb76f93d29d61bd820ed
* 8ef882a44344497ef5b784965b36272a27f8eabbcbcea90274518870b13007a0
* 79616f9be5b583cefc8a48142f11ae8caf737be07306e196a83bb0c3537ccb3e
* db84d13d7dbba245736c9a74fc41a64e6bd66a16c1b44055bd0447d2ae30b614
* 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
* 04d71e8af8b5cbec912b82b6ebef7c19c5b888873dfd4609b1e38b2a6c398b2e
* 0b2a84359501923d1aa6ccd4e03b3f1b619e01d978efae45feea34a4d0ffed04
* 20e983e90144c385996eeb2edb584d654d898c34725e149682170f870ee12870
* 407c70f0c1a1e34503dae74dd973cf037d607e3c4deb8f063d33f2142f1baf71
* 6b0d90a0571ec870fa26372a1c5d83d06e8febca130a8f710e0c389a3054e05c
* 83bbe9e7b7967ecbc493f8ea40947184c6c7346c6084431fceea0401a6279d29
* 8d19c59db26a3e0a3251c5f05e143558bf009ed0b46fb9b6151f98441407ae8b
* 5e541d1ab46ab3d58e4889b08f5f4427d38afe8320582a63d992eda172af6c7f
* 9e4f09faee3eba3ae271b241cbaf0cb3621845ef83608a8abb3df8791e6c36e1
* dec11036bca8384f81c0c1d534e1f37fd2864c974dad020f32b835af3c7c4e28
* eb35bb221de38f5953f923cd349b4c85a50145329152a8aaa01e4cd8602a560e
* 469953521e9b64eac07f02fecf3488406c65ec1f3d5c182363c8ba0664a4b640

a. hxxps://blog[.]google/threat-analysis-group/disrupting-glupteba-operation/
b. hxxps://www[.]
c. hxxps://www[.]
d. hxxps://threatpost[.]com/google-glupteba-botnet-lawsuit/176826/
e. hxxps://
f.  hxxps://github[.]com/sophoslabs/IoCs/blob/master/Trojan-Glupteba