Pulse Detail — Threat Intelligence

PULSE NAME

Nozomi Networks Researchers Track Malicious Glupteba Activity Through the Blockchain

WHITE eric.ford 2022-12-19 Modified: 2022-12-19

IOCs

HIGH VOLUME

Nozomi reports that the Glupteba malware botnet has sprung back into action, infecting devices worldwide after its operation was disrupted by Google almost a year ago. Nozomi analysis reveals a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing based on data from blockchain transactions, TLS certificate registrations and reverse engineering Glupteba samples.

malware/glupteba

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1090 T1546 T1003

MALWARE FAMILIES

Glupteba

Indicators of Compromise (82)

All BitcoinAddress FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
BitcoinAddress	12EfzLra6LttQ8RWvBTDzJUjYE6eRxx4TY	—	2022-12-19
BitcoinAddress	14XZhcCJDguZuZF4p13tfLXJ6puudY7gqs	—	2022-12-19
BitcoinAddress	15nWGFaodg3efVKATgsaaSPU2TxSbiMHcP	—	2022-12-19
BitcoinAddress	15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6	—	2022-12-19
BitcoinAddress	19RzEN3pqHvgRHGMjjtYCqjVTXt8bnHkK3	—	2022-12-19
BitcoinAddress	1AuWUMtjPo7Cc1Ji2pz7DWVvVJ5EjiUaHh	—	2022-12-19
BitcoinAddress	1BL6NZSoXtMSdquRmePDUCQxFaXtLLSVWG	—	2022-12-19
BitcoinAddress	1BqY56No1LR64AGcog4mF54UTPnjrPAPHz	—	2022-12-19
BitcoinAddress	1BrEshrz6gVbVuHGBgJ5GuHBvC2sdoeTAJ	—	2022-12-19
BitcoinAddress	1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97	—	2022-12-19
BitcoinAddress	1CfevVPC8cSpFf7QKQwShrFgQYfyQaoXhc	—	2022-12-19
BitcoinAddress	1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1	—	2022-12-19
BitcoinAddress	1Cxy9e6KtHtBJrQwCwpKgcyp6dhncx6eNh	—	2022-12-19
BitcoinAddress	1CzetoTU29WbhNy1UozrQpxuFuCVxffbTd	—	2022-12-19
BitcoinAddress	1GLjCyG3fDf7vT3SxwtEUx7Z2w2UQrR3FU	—	2022-12-19
BitcoinAddress	1HSC8Yt2yjuFUSGpUfJnwLMr4HzNxV3dvP	—	2022-12-19
BitcoinAddress	1HjoomvzjtvZdbznoEijTNAkMjmsFba9fY	—	2022-12-19
BitcoinAddress	1HzJkTn6Z5nDrgbR6dHVBDVtsRYqwDmGzN	—	2022-12-19
BitcoinAddress	1KfLXEveeDEi58wvuBBxuywUA1V66F5QXK	—	2022-12-19
BitcoinAddress	1LQ2EPBwPqdbmXwN6RodPS4xqcm8EtPcaB	—	2022-12-19
BitcoinAddress	1MuJwQKLQKt1VCBQ9u1RtepW7sDD3AwRE6	—	2022-12-19
BitcoinAddress	1Mz2b2onxnAYhJTJQoGHdSBy6wu2HpufVR	—	2022-12-19
BitcoinAddress	1NX7zTP6C4oGj2y3DaJTrg26AGFWExvYnr	—	2022-12-19
BitcoinAddress	1bRfcRZVws98j3QQEZxrgRVd15vVF6zSU	—	2022-12-19
BitcoinAddress	34RqywhujsHGVPNMedvGawFufFW9wWtbXC	—	2022-12-19
FileHash-MD5	e2aad08f11d13fcb4fcd6ddedcb716e9	MD5 of c6d4ce67dd25764f571a84caa19fa6c2b067cae6	2022-12-19
FileHash-SHA1	c6d4ce67dd25764f571a84caa19fa6c2b067cae6	—	2022-12-19
FileHash-SHA256	c59a234f3a71d3f177cacf704bd25bfea6ce41c549651638d8ee4ed120ff90b2	SHA256 of c6d4ce67dd25764f571a84caa19fa6c2b067cae6	2022-12-19
domain	2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onion	—	2022-12-19
domain	3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion	—	2022-12-19
domain	7owe32rodnp3vnx2ekqncoegxolkmb3m2fex5zu6i2bg7ktivhwvczqd.onion	—	2022-12-19
domain	anotheronedom.com	—	2022-12-19
domain	bihgkrr546ctjdn4mwr7x4bhvwz55sftx6xir6cwlfo6rhppd2eu7syd.onion	—	2022-12-19
domain	blockstream.info	—	2022-12-19
domain	c43tnmrkzfmkjyd3j4v6xbyrd67q6pskzy67dwkzj36uoqwpoju2loyd.onion	—	2022-12-19
domain	cdneurop.cloud	—	2022-12-19
domain	cdneurops.buzz	—	2022-12-19
domain	cdneurops.health	—	2022-12-19
domain	cdneurops.pics	—	2022-12-19
domain	cdneurops.shop	—	2022-12-19
domain	cdntokiog.studio	—	2022-12-19
domain	checkpos.net	—	2022-12-19
domain	dafflash.com	—	2022-12-19
domain	deepsound.live	—	2022-12-19
domain	dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion	—	2022-12-19
domain	duniadekho.bar	—	2022-12-19
domain	easywbdesign.com	—	2022-12-19
domain	filimaik.com	—	2022-12-19
domain	getfixed.xyz	—	2022-12-19
domain	getyourgift.life	—	2022-12-19
domain	gfixprice.xyz	—	2022-12-19
domain	godespra.com	—	2022-12-19
domain	greenphoenix.xyz	—	2022-12-19
domain	limeprime.com	—	2022-12-19
domain	limeprime.org	—	2022-12-19
domain	maesvpovrwqfaqjw44bbeb2w62h6n7eyosbeit7rfrrdbyjymqaxfryd.onion	—	2022-12-19
domain	mastiakele.cyou	—	2022-12-19
domain	mastiakele.icu	—	2022-12-19
domain	mastiakele.xyz	—	2022-12-19
domain	maxbook.space	—	2022-12-19
domain	mydomelem.com	—	2022-12-19
domain	myinfoart.xyz	—	2022-12-19
domain	nameiusr.com	—	2022-12-19
domain	newcc.com	—	2022-12-19
domain	nisdably.com	—	2022-12-19
domain	papmcl4r32awafck75y5446n252qqqq4h6c4y2slaayposrtfbcebdqd.onion	—	2022-12-19
domain	r5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad.onion	—	2022-12-19
domain	revouninstaller.homes	—	2022-12-19
domain	robotatten.com	—	2022-12-19
domain	sleepingcontrol.com	—	2022-12-19
domain	sndvoices.com	—	2022-12-19
domain	tmetres.com	—	2022-12-19
domain	tyturu.com	—	2022-12-19
domain	venoxcontrol.com	—	2022-12-19
domain	x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion	—	2022-12-19
domain	yeug3c6mnwocixwlotka4nwo3fjtfic65o4psmpxvrdul5q7dgjmsvad.onion	—	2022-12-19
domain	younghil.com	—	2022-12-19
domain	zaoshang.moscow	—	2022-12-19
domain	zaoshang.ooo	—	2022-12-19
domain	zaoshang.ru	—	2022-12-19
domain	zaoshanghao.su	—	2022-12-19
domain	zaoshanghaoz.net	—	2022-12-19

References (1)

↗ https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/