Google is suing two Russian hackers, Dmitry Starovikov and Alexander Filippov, for being allegedly the masterminds behind the Glupteba botnet according to a complaint filed by the company in the United States District Court for the Southern District of New York.
According to the complaint, Starovikov and Filippov were the “principal operators” of glupteba. Google claims that the defendants created the botnet to use for illicit purposes, including the theft and unauthorized use of Google users’ login and account information.
Since the year 2020, Google has been tracking Glupteba. Approximately 1 million Windows systems were compromised during this period. Every day, many thousand additional PCs are added to the network.
“Botnet” is a contraction of the terms “robot” and “network”. Cybercriminals use special Trojans to breach the security of the computers of different users, take control of each of these infected computers, and group them into a network of remotely manageable “bots”.
Cybercriminals often seek to infect and take control of thousands, tens of thousands, even millions of computers to act as absolute masters over a huge “zombie network” (or “bot-network”) capable of launching an attack Distributed Denial of Service (DDoS), a large-scale spam campaign, or any type of cyber-attack.
In some cases, cybercriminals establish a large network of bot computers and then sell or lease access to that network to other criminals. Spammers can rent or buy a network to start a large-scale spam campaign.
Glupteba impressed researchers by its ability to remain hidden and thus ensure the longevity and permanence of the attacks. A report that was previously published on the bot describes in detail the core task of Glupteba: infecting computers in order to install additional malware unnoticed. Currently, one of the most common malware infiltrated via the bot is a cryptominer. Once installed on the victim’s computer, they can download and run additional tools. The following actions are possible:
- Installing rootkits to hide processes and components.
- Theft of browser information by collecting cookies, history and login information and sending them to the Command-and-Control Server.
- Forwarding of network requests by installing their own proxy components
- Exfiltrate a large amount of device data, such as stored configuration information, the build number of the operating system, the serial number of the motherboard, the MAC address, the serial number of the hard disk, the installation date of the operating system, or the RAM memory.
- Hijack of vulnerable routers.
According to researchers, the developers of Glupteba have put a lot of effort into developing functions that protect the bot from detection. For example, it has guards that continuously monitor the performance of the Glupteba processes so that they function flawlessly (which could otherwise trigger an alarm in the network).
Glupteba adds itself to the exclusion lists for Windows Defender. Another feature also allows the bot to update itself stealthily and to restart its processes. In addition, the use of blockchain technology hides the update of the bot’s command and control server addresses.
Google believes that Glupteba was designed particularly for the purpose of stealing Google user data, but it also believes that it is capable of stealing Bitcoin. Google’s attorneys have demanded that Starovikov and Filippov recompense for the harm they have caused and cease using Google services forever.