Glupteba Botnet Continues to Thrive Despite Google's Attempts to Disrupt It

2022-12-19 13:09

The operators of the Glupteba botnet resurfaced in June 2022 as part of a renewed and "Upscaled" campaign, months after Google disrupted the malicious activity.

Specifically, the botnet is designed to search the public Bitcoin blockchain for transactions related to wallet addresses owned by the threat actor so as to fetch the encrypted C2 server address.

"This is made possible by the OP RETURN opcode that enables storage of up to 80 bytes of arbitrary data within the signature script," the industrial and IoT security firm explained, adding the mechanism also makes Glupteba hard to dismantle as "There is no way to erase nor censor a validated Bitcoin transaction."

"While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them," the internet behemoth pointed out in November.

Nozomi Networks, which examined over 1,500 Glupteba samples uploaded to VirusTotal, said it was able to extract 15 wallet addresses that were put to use by the threat actors dating all the way back to June 19, 2019.

"Threat actors are increasingly leveraging blockchain technology to launch cyberattacks," the researchers said.

News URL

https://thehackernews.com/2022/12/glupteba-botnet-continues-to-thrive.html

#botnet #google