[MART] - Daily Diary #407 - Glupteba Botnet Disrupted

CTAS-MAT ctas-mat at appgate.com
Wed Dec 8 22:09:56 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

12/08/2021 - Diary entry #407:

Glupteba, mentioned in our Daily Diaries #308 and #333, is a multi-purpose threat that doubles as a botnet and backdoor. Glupteba is known to steal credentials, cookies, mine cryptocurrencies on infected devices, and deploy proxy components targeting Windows and IoT devices worldwide.

It's common for malware to use public cloud services such as AWS S3, Google Docs, and even YouTube videos, to store C2 addresses used by botnet on infected devices. This technique allows malware to bypass common firewall rules, as those services are hardly blocked, and connecting to those services can be viewed as trusted for some security solutions.

Since Google's products are abused by threats like Glupteba, the company took actions over the past year to terminate around 63 million Google Docs that were observed to have distributed the malware, alongside 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with Glupteba distribution.

Besides law enforcement agencies, private sector companies are also making efforts to disrupt threats' infrastructures. Those actions force threat actors to change their tactics, suffering temporary setbacks in their operations. Unfortunately, Glupteba is using blockchain technology as a resiliency mechanism, allowing the botnet to recover more quickly from disruptions.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20211208/4c83892c/attachment.htm>

More information about the MART mailing list