Google announced today that it has taken action to disrupt the Glupteba botnet that now controls more than 1 million Windows PCs around the world, growing by thousands of new infected devices each day.
Glupteba is a blockchain-enabled and modular malware that has been targeting Windows devices worldwide since at least 2011, including the US, India, Brazil, and countries from Southeast Asia.
Threat actors behind this malware strain are mainly distributing payloads onto targets’ devices via pay-per-install (PPI) networks and traffic purchased from traffic distribution systems (TDS) camouflaged as “free, downloadable software, videos, or movies.”
After infecting a host, it can mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices, which later get sold as ‘residential proxies’ to other cybercriminals.
As part of Google’s concerted effort to disrupt the botnet, the company took over Glupteba’s key command and control (C2) infrastructure, which uses a Bitcoin blockchain backup mechanism to add resilience if the main C2 servers stop responding.
“We believe this action will have a significant impact on Glupteba’s operations,” said Google Threat Analysis Group’s Shane Huntley and Luca Nagy today.