Glupteba is a well-known cryptocurrency mining trojan operating that has been active for a few years. The mining operation has now been disrupted, thanks to a coordinated effort by Google and Cloudflare.
According to Google’s announcement, the company “has taken action to disrupt the operations of Glupteba, a multi-component botnet targeting Windows computers. We believe this action will have a significant impact on Glupteba’s operations.”
There’s the chance, however, that Glupteba’s operators attempt to regain control of the botnet, as they have a backup command-and-control mechanism that uses data encoded on the Bitcoin blockchain.
How was the Glupteba botnet disrupted?
Google identified several binaries that contained a git repository URL (git.voltronwork.com ) during an analysis. This discovery led to an investigation and to the eventual conclusion that they have come across multiple online services connected to Glupteba. The services included selling access to virtual machines loaded with harvested credentials, proxy access, and selling credit card details to further enable other malicious operations (including servicing malicious ads and Google Ads payment fraud).
Then, a collaboration with several hosting providers and Cloudflare followed which helped disrupt Glupteba’s botnet activity by taking down servers and putting warning interstitial pages in front of the malicious domain names. During this time, an additional 130 Google accounts associated with this operation were terminated, the company added in the announcement.
More about the Glupteba trojan
Glupteba is a trojan previously detected by cybersecurity experts and known to mine the Monero cryptocurrency, and also act like a password and data stealer. The malware has been through several evolution stages. A version detected in 2019 was documented to be using Bitcoin via an Electrum wallet. The trojan dropped a few malicious parts inside a victim’s computer while exploiting the nearest router of the compromised network.