February 2, 2023

Google in last December 2021, announced that it has taken down the infrastructure operated by the Glupteba botnet. The blockchain-enabled botnet has been active since at least 2011. It’s been estimated that this botnet was composed of more than 1 million Windows PCs around the world as of December 2021.

It was indulged in stealing users’ credentials and data, mining cryptocurrencies abusing victims’ resources, and setting up proxies to funnel other people’s internet traffic through infected machines and routers. The malware is spread via cracked or pirated software.

Advertisements

Researchers reported that the Glupteba botnet is back and reported a surge in the number of infections worldwide. A significant increase of malicious bitcoin addresses along with the increase in TOR hidden service being used as C2 servers.
The researchers observed a new campaign that started in June 2022 after the Google lawsuit and is still ongoing.

Researchers believe that at least five different merchants and exchanges were used to fund the Glupteba addresses since 2019. The experts identified 15 Glupteba bitcoin addresses over 4 years, likely involved in four different campaigns

The experts used passive DNS records to uncover Glupteba domains and hosts and analyzed the latest set of TLS certificates used by the bot to figure out the infrastructure used by the attackers.

One of the addresses had 11 transactions and was used by 1,197 samples, with the last seen activity reported on November 8, 2022.

For defenders and responders, it’s been suggested blocking blockchain-related domains like blockchain.info but also Glupteba known C2 domains in your environment. Continuous monitoring of DNS logs and keeping the antivirus software up to date to help prevent a potential Glupteba infection.

This research was documented by researchers from Nazoami Networks

Advertisements

Indicators of Compromise

IOCDescriptioncdneurops[.]picsC2 domain 2022mastiakele[.]icuC2 domain 2022mastiakele[.]xyzC2 domain 2022cdneurops[.]buzzC2 domain 2022cdneurops[.]shopC2 domain 2022zaoshanghaoz[.]netC2 domain 2022cdneurop[.]cloudC2 domain 2022cdneurops[.]healthC2 domain 2022mastiakele[.]cyouC2 domain 2022zaoshanghaoz[.]netC2 domain 2022mastiakele[.]ae[.]orgC2 domain 2022zaoshang[.]oooC2 domain 2022cdntokiog[.]studioC2 domain 2022zaoshang[.]moscowC2 domain 2022zaoshang[.]ruC2 domain 2022zaoshanghao[.]suC2 domain 2022duniadekho[.]barC2 domain 2022checkpos[.]netC2 domain 2022dafflash[.]comC2 domain 2021godespra[.]comC2 domain 2021filimaik[.]comC2 domain 2021mydomelem[.]comC2 domain 2021nameiusr[.]comC2 domain 2021younghil[.]comC2 domain 2021newcc[.]comC2 domain 2021 (potential testing domain)nisdably[.]comC2 domain 2021tyturu[.]comC2 domain 2021maxbook[.]spaceC2 domain 2020easywbdesign[.]comC2 domain 2020sndvoices[.]comC2 domain 2020myinfoart[.]xyzC2 domain 2020gfixprice[.]xyzC2 domain 2020getfixed[.]xyzC2 domain 2020anotheronedom[.]comC2 domain 2020sleepingcontrol[.]comC2 domain 2020robotatten[.]comC2 domain 2020deepsound[.]liveC2 domain 2020 (potential testing domain)venoxcontrol[.]comC2 domain 20193ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid[.]onionC2 domain 2022yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onionC2 domain 2022x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd[.]onionC2 domain 2022bihgkrr546ctjdn4mwr7x4bhvwz55sftx6xir6cwlfo6rhppd2eu7syd[.]onionC2 domain 20222pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad[.]onionC2 domain 2022c43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd[.]onionC2 domain 20222pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad[.]onionC2 domain 2022yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onionC2 domain 2022dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad[.]onionC2 domain 2022c43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd[.]onionC2 domain 20222pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad[.]onionC2 domain 2022papmcl4r32awafck75y5446n252qqqq4h6c4y2slaayposrtfbcebdqd[.]onionC2 domain 2022maesvpovrwqfaqjw44bbeb2w62h6n7eyosbeit7rfrrdbyjymqaxfryd[.]onionC2 domain 2022yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad[.]onioC2 domain 2022 with a typo7owe32rodnp3vnx2ekqncoegxolkmb3m2fex5zu6i2bg7ktivhwvczqd[.]onionC2 domain 2021r5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad[.]onionC2 domain 2021limeprime[.]comAssociated domaingreenphoenix[.]xyzAssociated domainrevouninstaller[.]homesAssociated domaingetyourgift[.]lifeAssociated domain12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TYWallet Address14XZhcCJDguZuZF4p13tfLXJ6puudY7gqsWallet Address15nWGFaodg3efVKATgsaaSPU2TxSbiMHcPWallet Address19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3Wallet Address1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHhWallet Address1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWGWallet Address1BqY56No1LR64AGcog4mF54UTPnjrPAPHzWallet Address1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJWallet Address1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhcWallet Address1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzNWallet Address1KfLXEveeDEi58wvuBBxuywUA1V66F5QXKWallet Address1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaBWallet Address1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6Wallet Address1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVRWallet Address1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnrWallet Address1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1Wallet Address1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97Wallet Address1HjoomvzjtvZdbznoEijTNAkMjmsFba9fYWallet Address34RqywhujsHGVPNMedvGawFufFW9wWtbXCWallet Address15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6Wallet Address

Leave a Reply

%d bloggers like this: