Google has reportedly taken steps to disrupt the operations of a sophisticated botnet called “Glupteba.” This botnet has infected about a million Windows computers worldwide and stored its command-and-control server addresses on the Bitcoin (BTC) blockchain as a resilience mechanism.
63 million Google docs deleted
In the past year, Google reportedly deleted about 63 million Google documents. This specifically concerns documents that were infected with malware. In addition, Google has removed approximately 1,200 accounts, removed more than 900 Cloud Projects and removed nearly 900 Google Ads accounts. These are all accounts that can be linked to the distribution of malware.
To track down the infected files, Google has partnered with various parties, including CloudFlare and various hosting providers. They then deleted the servers where these files were shared.
Lawsuit against Russian individuals
In addition, Google has also announced that they have started a lawsuit against two individuals from Russia. These individuals, Dmitry Starovikov and Alexander Filippov, are said to be responsible for managing the botnet, along with 15 other suspects. Google researchers said the following about the botnet:
“Glupteba is known for stealing user data and cookies, mining cryptocurrencies on infected hosts, implementing and deploying proxy components targeting Windows systems and Internet of Things (IoT) devices.”
Active since at least 2011
Glupteba has also been in circulation for several years. The botnet was first detected in 2011 by the then cybersecurity company Sophos. At the time, it was stated that the malware was “capable of continuously thwarting attempts to remove it from an infected machine. Glupteba also takes several approaches to stay low and go undetected.” Although the botnet was first detected in 2011, it may have been active for much longer but never noticed.
For example, the botnet takes measures to remain invisible to the detection of antivirus solutions, but they are also designed to execute arbitrary commands pushed by an attacker-controlled server. Glupteba is also notable for the fact that the malware uses Bitcoin’s blockchain as a backup for their command-and-control system.
The malware is programmed to search the public Bitcoin blockchain for transactions with three (3) wallet addresses owned by the threat actor to retrieve the encrypted command-and-control server address.
Given that the lawsuit is still pending, it is unknown what the exact outcome will be.