Google obtained a temporary court order from the US to disrupt the distribution of Cryptbot, a Windows-based malware responsible for infecting and stealing information from over 670,000 computers in 2022.
The malware was first discovered in December 2019 by Bleeping Computer, nested inside modified Inter VPN Pro software on a false website.
In a press release, Google’s Mike Trinh and Pierre-Marc Bureau stated:
“Last year, we shared details about our success in holding operators of the Glupteba botnet responsible for their targeting of online users. We noted that our work was not done and that we would continue raising awareness around issues and working to disrupt groups looking to take advantage of users. Today, we’re sharing another milestone in that work.”
The court order, granted by a federal judge in the Southern District of New York, gives Google the authority to “take down current and future domains that are tied to the distribution of Cryptbot.”
Google finds itself an unwitting accomplice to the spread, as CryptBot uses unofficially modified versions of Google Earth Pro and Google Chrome hosted on phishing websites. CryptoBot has pillaged authentication credentials, social media account login info, and cryptocurrency wallets from Google Chrome.
To combat the threat, Trinh and Bureau provided basic but evergreen pointers when considering any software download:
Download from well-known and trusted sources: Only download software from the official website or app store and take Chrome Safe Browsing warnings seriously.
Read reviews and do your research: Before downloading any software, do research on the product, and read reviews from others who have already downloaded and used the software.
Keep your operating system and software up-to-date: Make sure to regularly update your device’s operating system and software to the latest version. Updates often include security patches and bug fixes that can help protect from threats.
These actions come shortly after Google’s December 2021 legal efforts to shut down the command-and-control infrastructure associated with a botnet called Glupteba. However, the malware resurfaced a mere six months later, with Nozomi Networks reporting “a tenfold increase in TOR hidden service being used as C2 servers since the 2021 campaign.”
Time will tell if Google’s efforts to halt CryptBot’s spread yield productive efforts or if the malware proves to be another Hydra multiplying with each strike.