Google disrupts the Glupteba botnet

Google announced to have disrupted the Glupteba botnet, a huge infrastructure composed of more than 1 million Windows PCs worldwide.

Google announced to have taken down the infrastructure operated by the Glupteba, it also sued Russian nationals Dmitry Starovikov and Alexander Filippov for creating and operating the botnet.

The blockchain-enabled botnet has been active since at least 2011, researchers estimate that the Glupteba botnet is currently composed of more than 1 million Windows PCs around the world.

The botnet was involved in stealing users’ credentials and data, mining cryptocurrencies abusing victims’ resources, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.

Botnet operators use to spread the malware via cracked or pirated software and pay-per-install (PPI) schemes.

“In the summer of 2020, Google determined that Glupteba malware was being disseminated on numerous third-party software download sites, online movie streaming sites, and video downloader sites, often advertised as “free downloads.” states the complaint filed in the Southern District of New York for computer fraud and abuse, trademark infringement, and other claims. “Glupteba malware masquerades as free, downloadable software, videos, or movies (“freeware”) and infects a device when a user clicks on a link to the freeware. For example, users who click on a link looking to download a free game instead unknowingly download and install Glupteba malware.”

Google announced to have removed around 63 million Google Docs files used as part of the Glupteba operation to distribute the bot to the victims. The IT giant also removed 1,183 Google accounts, 908 cloud projects, and 870 Google Ads accounts used by the operators.

Google partnered with Internet infrastructure providers and hosting providers, such as CloudFlare, to take down servers used by the gang.

Google researchers believe that the operators of Glupteba botnet will likely attempt to regain control of the malicious infrastructure by using the C2 backup mechanism that leverages the Bitcoin blockchain.

“As announced today, Google has taken action to disrupt the operations of Glupteba, a multi-component botnet targeting Windows computers. We believe this action will have a significant impact on Glupteba’s operations. However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.” reads the post published by Google.

In court documents [PDF], Google names Dmitry Starovikov and Alexander Filippov as two of Glupteba’s creators.

Google revealed that Starovikov and Filippov also operated several online websites to advertise the botnet. For example, the site dont.farm was used to sell access to compromised Google and Facebook advertising account.

Google researchers also shared Indicators of Compromise (IoCs) for the Glupteba botnet.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Glupteba botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]