## UNCOVERING A BROAD CRIMINAL ECOSYSTEM POWERED BY ONE OF THE LARGEST BOTNETS, GLUPTEBA ###### Sept, 2022 **LUCA NAGY** ----- ##### Luca Nagy ###### Security Engineer @ Google Threat Analysis Group (TAG) CRIME ----- # DISCLAIMER ----- #### AGENDA **DISTRIBUTION** **CAPABILITIES & MODULES** ----- #### AGENDA ### ACTORS ----- #### AGENDA ----- #### AGENDA ----- ## GLUPTEBA ----- #### DISTRIBUTION ###### ● Since 2011 ● PPI network/TDS ● 1M bot ----- #### DROPPER CAPABILITIES ###### ● Winmon ○ Process concealment (EPROCESS list) ###### ROOTKIT ###### ● WinmonFS ○ Hiding objects (FsFilter callback) Kernel drivers to hide itself. ###### ● WinmonProcessMonitor ○ Monitoring and terminating service processes (1224 process) ----- #### DROPPER CAPABILITIES ###### BACKDOOR Controlling the machine by using backdoor functions. ----- #### DROPPER CAPABILITIES ###### BLOCKCHAIN For updating C2 domains. - Hardcoded btc address - Hardcoded AES key ----- #### DROPPER CAPABILITIES ###### ● Github ○ Public json list of default electrum servers ###### BLOCKCHAIN For updating C2 domains. ###### ● Hardcoded list ○ Electrum servers ###### ● Blockchain.com ○ HTTP request for blockchain.com ----- #### DROPPER CAPABILITIES ###### GAIN PERSISTENCE Autorun registry key, scheduled tasks. ###### SPREADING ON LAN EternalBlue. ----- #### DROPPER CAPABILITIES ###### ANTI-VM TECHNIQUES Checking VM environment. ###### SUPPRESS SECURITY Adding Windows Defender exclusions, Firewall rules, Disabling PatchGuard, DSE. ----- #### GLUPTEBA MODULES ###### CHROME EXTENSION ----- #### PROXY MODULE ##### PROXIES ###### ● TUNNELED PROXY .server-.domain, where the is randomly selected then incremented. E.G.: 808f38e3-d84b-45c8-b461-2a4c006a0f4a.server-3.easywbdesign.com **Bot registration, then connect on port** **8000** **Sending request** **Response with a random port** **number** **Providing result** **Connect back on that port** **PROXIES** ###### Request C2 server and establish connection Machine (tunnel) Victim machine **PROXIES** ----- #### ANDROID - ADS MODULE ###### 1. Glupteba APK requests: http://domainforwork.com/api/pollc with sent information 2. Received response [{"command":"showDialog","payload":{"arg":"{\"link\":true,\"advanced_webview\":true,\"can_close\":true,\"block_back\":false,\"click_url\":\"http://domainforwork.c om/ads/click?id=7132411\",\"content\":\"https://click.trafspin.com/ads/view-url?id=xxx&url=... **Requesting C2 server** **For what to display** **Response with a link for** **ANDROID** **the ad content URL** **GLUPTEBA** ###### C2 server GLUPTEBA ON **ANDROID** **GLUPTEBA** ----- #### BROWSER STEALER ###### BROWSER STEALER **BROWSER** **STEALER** ----- #### WHERE ARE THESE MONETISED? ###### CHROME EXTENSION ----- ## ACTORS ----- #### CODE EVIDENCES ###### GLUPTEBA BINARIES GIT URIS **Proxy module** **git.voltronwork.com** ----- ## SERVICES ----- #### LEGAL ENTITY BASED EVIDENCES ###### ACTORS ----- #### LEGAL ENTITY BASED EVIDENCES ----- #### WHAT ARE THESE SERVICES? ###### AWMPROXY Residential proxy provider ###### TRAFSPIN Advertising network ###### DONT.FARM Ads account service ----- #### ARE THESE ASSOCIATED WITH THE MODULES? ###### AWMPROXY Residential proxy provider ###### TRAFSPIN Advertising network ###### DONT.FARM Ads account service ###### CHROME FINGERPRINT GLUPTEBA ###### BROWSER STEALER CHROME FINGERPRINT ----- #### AWMPROXY ###### AWMPROXY Residential proxy provider ----- ###### PROXY SERVICE ----- ###### PROXY SERVICE **PROXIES** ###### Victim machine ----- ###### PROXY SERVICE **PROXIES** ###### Victim machine **PROXIES** ----- #### TRAFSPIN ###### TRAFSPIN Advertising network ----- ###### RTB ADVERTISING NETWORK ###### r ----- ###### RTB ADVERTISING NETWORK ###### GLUPTEBA ###### ANDROID **ANDROID** **GLUPTEBA** **GLUPTEBA** ###### C2 server **ANDROID** **GLUPTEBA** ----- ###### RTB ADVERTISING NETWORK ###### C2 server **ANDROID** **GLUPTEBA** ----- #### DONT.FARM ###### DONT.FARM Ads account service ----- ###### ADS ACCOUNT SERVICE ###### Access Set to Chrome profile folder **Proxy** ###### Customer gateway |Proxy server Set Chrome profile folder|to| |---|---| ||| ###### Virtual Machine of dont.farm ----- ###### ADS ACCOUNT SERVICE |Proxy server Set Chrome profile folder|to| |---|---| ||| **BROWSER** **STEALER** **PROXIES** ###### C2 ###### Victim machine ----- ## CRIMINAL ECOSYSTEM ----- #### ECOSYSTEM **V lt** ----- ## CLOSING REMARKS ----- #### AFTER DISRUPTION ###### ● Overall botnet size decreased to less than its quarter (from 1M to 220K) ● Went away from Google products ● Partially disrupted services ● No new distribution until end of May ● Distribution of new samples by Integral PPI network since May -> Botnet size slightly increasing. ○ New BTC addresses ○ Simple XOR encoded C2 domains in blockchain ○ .onion C2 domains ○ Using Discord for downloading TOR ○ Using Opera VPN - opera-proxy client (recently started) ----- #### LESSONS LEARNED ###### ● Glupteba actors make mistakes ● Diverse botnet, diverse usage (services) ● Complex, organized ecosystem, end-to-end solution ● TAG continues to monitor ----- # THANK YOU! -----