The operators of the Glupteba botnet resurfaced in June 2022 as part of a renewed and “upscaled” campaign, months after Google disrupted the malicious activity.
The ongoing attack is suggestive of the malware’s resilience in the face of takedowns, cybersecurity company Nozomi Networks said in a write-up. “In addition, there was a tenfold increase in TOR hidden services being used as C2 servers since the 2021 campaign,” it noted.
The malware, which is distributed through fraudulent ads or software cracks, is also equipped to retrieve additional payloads that enable it to steal credentials, mine cryptocurrencies, and expand its reach by exploiting vulnerabilities in IoT devices from MikroTik and Netgear.
It’s also an instance of an unusual malware that leverages blockchain as a mechanism for command-and-control (C2) since at least 2019, rendering its infrastructure resistant to takedown efforts as in the case of a traditional server.
Specifically, the botnet is designed to search the public Bitcoin blockchain for transactions related to wallet addresses owned by the threat actor so as to fetch the encrypted C2 server address.
images from Hacker News