Google starts taking down CryptBot malware infrastructure


A court order has been granted to Google to take down the malware infrastructure associated with Cryptbot info stealer after the company filed a lawsuit against those who were using the malware to infect Google Chrome users and steal their data.

The lawsuit targets Cryptbot’s infrastructure and distribution network, whose disruption would help decrease the number of victims having their sensitive information stolen using the malware.

Zubair Saeed, Raheel Arshad, Mohammad Rasheed Siddiqui, and 15 other unnamed defendants from Pakistan are charged with running fraudulent websites that tricked unsuspecting users into downloading malicious Google Earth Pro and Google Chrome versions.

These victims were under the impression that they were downloading legitimate software, which in reality, installed Cryptbot malware designed to steal their personal and financial information.

“Our litigation was filed against several of CryptBot’s major distributors who we believe are based in Pakistan and operate a worldwide criminal enterprise,” the Head of Litigation Advance Mike Trinh and Threat Analysis Group’s Pierre-Marc Bureau said.

“The legal complaint is based on a variety of claims, including computer fraud and abuse and trademark infringement.”

To hinder the spread of CryptBot, the court has granted Google a temporary restraining order which allows the company to disrupt the distributors and their infrastructure.

The court empowers Google to take down domains associated with CryptBot distribution (active and that will be registered after the order is issued), thus helping curb the number of new infections and decelerating the malware network’s growth.

“Yesterday, a federal judge in the Southern District of New York unsealed our civil action against the malware distributors of Cryptbot, which we estimate infected approximately 670,000 computers this past year and targeted users of Google Chrome to steal their data,” Trinh and Bureau said.

“We’re targeting the distributors who are paid to spread malware broadly for users to download and install, which subsequently infects machines and steals user data.”

What is CryptBot

CryptBot info stealer is a Windows malware designed to steal sensitive information from victims’ computers. This info can include login credentials, credit card information, and other personal or financial data that can be used for various fraudulent purposes.

After the malware infects a device, it silently harvests data and sends it back to the command and control (C2) server without the victims’ knowledge. 

The data stolen by CryptBot can be used for various criminal activities, including identity theft, financial fraud, as well as gaining unauthorized access to accounts and systems.

“Recent CryptBot versions have been designed to specifically target users of Google Chrome, which is where Google’s CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) teams worked to identify the distributors, investigate and take action,” Google said.

The company also took legal action to disrupt the Glupteba botnet in December 2021 after the blockchain-enabled and modular malware infected more than one million Windows devices worldwide since 2011.

As revealed in November 2022, Google TAG observed a 78% drop in Glupteba infections despite the botnet resuming operations after the initial disruption action.

Update April 27, 18:30 EDT: Added link to court documents.


Related posts

New DDoS-as-a-Service platform used in recent attacks on hospitals

Sarah Henriquez

Coinbase funds lawsuit against Tornado Cash cryptomixer sanctions

Sarah Henriquez

Google disrupts the CryptBot info-stealing malware operation

Sarah Henriquez

Leave a Comment