Google has taken legal and technical action to disrupt the Glupteba malware and botnet operation, the tech giant announced Tuesday.
Though Glupteba trojan malware has been known in some form since 2011, it has evolved into a large, sophisticated botnet in the years since. Often installed through pirated software downloads, the botnet is typically used for stealing information and mining cryptocurrency. According to Google's investigation, approximately one million devices are currently compromised by the botnet.
The company filed a civil complaint against Dmitry Starovikov and Alexander Filippov, two Russian residents and the alleged operators of Glupteba, for "the theft and unauthorized use of Google users' login and account information." Google filed the complaint under the Racketeer Influenced and Corrupt Organizations (RICO) Act, and said it seeks "injunctive relief and compensatory and punitive damages in an amount to be proven at trial."
"Google has been and continues to be directly injured by Defendants' conduct," the complaint read.
In addition to legal action, Google announced Tuesday that it had, at least temporarily, disrupted Glupteba's operations. As detailed in a technical post, Google's Threat Analysis Group worked with both internal and external partners over the past year to take down command and control servers as well as eliminate Google accounts and cloud resources used by the threat actors.
"We've terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution," the technical post read. "Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe Browsing warnings."
Taking down Glupteba is more complicated than a typical botnet due to its command and control backup mechanism that utilizes the Bitcoin blockchain.
Erin Plante, senior director of investigative services at blockchain security vendor Chainalysis, told SearchSecurity that due to this backup mechanism, "whenever one of Glupteba's C2 [command and control] servers is shut down, it can simply scan the blockchain to find the new C2 server domain address, hidden amongst the hundreds of thousands of daily Bitcoin transactions worldwide." Plante added that Google "used Chainalysis products and investigative services to investigate the botnet."
According to Google's technical post, "the operators of Glupteba are likely to attempt to regain control of the botnet" due to the backup mechanism.
Alexander Culafi is a writer, journalist and podcaster based in Boston.