Google disrupts the CryptBot info-stealing malware operation


Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data.

The lawsuit targets Cryptbot’s infrastructure and distribution network, whose disruption would help decrease the number of victims having their sensitive information stolen using the malware.

“Our litigation was filed against several of CryptBot’s major distributors who we believe are based in Pakistan and operate a worldwide criminal enterprise,” the Head of Litigation Advance Mike Trinh and Threat Analysis Group’s Pierre-Marc Bureau said.

“The legal complaint is based on a variety of claims, including computer fraud and abuse and trademark infringement.”

To hinder the spread of CryptBot, the court has granted Google a temporary restraining order which allows the company to disrupt the distributors and their infrastructure. 

The court empowers Google to take down domains associated with CryptBot distribution (active and that will be registered after the order is issued), thus helping curb the number of new infections and decelerating the malware network’s growth.

“Yesterday, a federal judge in the Southern District of New York unsealed our civil action against the malware distributors of Cryptbot, which we estimate infected approximately 670,000 computers this past year and targeted users of Google Chrome to steal their data,” Trinh and Bureau said.

“We’re targeting the distributors who are paid to spread malware broadly for users to download and install, which subsequently infects machines and steals user data.”

What is CryptBot

CryptBot info stealer is a Windows malware designed to steal sensitive information from victims’ computers. This info can include login credentials, credit card information, and other personal or financial data that can be used for various fraudulent purposes.

After the malware infects a device, it silently harvests data and sends it back to the command and control (C2) server without the victims’ knowledge. 

The data stolen by CryptBot can be used for various criminal activities, including identity theft, financial fraud, as well as gaining unauthorized access to accounts and systems.

“Recent CryptBot versions have been designed to specifically target users of Google Chrome, which is where Google’s CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) teams worked to identify the distributors, investigate and take action,” Google said.

The company also took legal action to disrupt the Glupteba botnet in December 2021 after the blockchain-enabled and modular malware infected more than one million Windows devices worldwide since 2011.

As revealed in November 2022, Google TAG observed a 78% drop in Glupteba infections despite the botnet resuming operations after the initial disruption action.


Related posts

MSI confirms security breach following ransomware attack claims

Sarah Henriquez

Philadelphia Inquirer operations disrupted after cyberattack

Sarah Henriquez

Exploit available for critical bug in VM2 JavaScript sandbox library

Sarah Henriquez

Leave a Comment