GlassWorm Botnet Takedown

www.news4hackers.com-glassworm-botnet-takedown-glassworm-botnet-takedown

The Takedown of the GlassWorm Botnet

The researchers at CrowdStrike, along with Google and the Shadowserver Foundation, recently took down the command-and-control (C&C) infrastructure of the GlassWorm botnet.

Evasion Tactics and Spread

The GlassWorm botnet utilized various methods to evade detection, including using the Solana blockchain for its C&C infrastructure, Google Calendar, the BitTorrent peer-to-peer network, and traditional servers hosted on commercial virtual private server (VPS) providers as backups.

According to the researchers, “The malware encoded C&C addresses in the memo fields of blockchain transactions, which cannot be modified or deleted.”

In addition to leveraging these unique evasion tactics, GlassWorm also employed Unicode variation selectors to hide its code within code editors, making it nearly impossible for humans to spot.

Initially spread through trojanized Visual Studio extensions via the OpenVSX marketplace, the malware later also appeared on GitHub.

Evolution and Adaptation

Over the course of more than a year, the operators behind GlassWorm continually evolved and adapted, adopting new programming languages, expanding across different package ecosystems, and building redundant infrastructure designed to withstand takedown attempts.

They targeted various platforms, including Visual Studio Code, npm, PyPI, and GitHub, stealing sensitive information such as NPM, GitHub, and Git credentials, as well as deploying SOCKS proxy servers and hidden VNC servers for remote access to infected machines.

Takedown and Future Implications

The take-down of the GlassWorm botnet highlights the need for increased vigilance and proactive measures to prevent similar attacks in the future.

Organizations are advised to check for connections to the benign IP address 164.92.88.210 to identify potential infections. Additionally, the researchers emphasize that developer environments, build pipelines, and code repositories often remain under-protected, and that adversaries are now targeting the developers who build software rather than just the products themselves.

Origin and Warning

The fact that the malware checked the system’s locale and avoided infecting machines in Commonwealth of Independent States (CIS) countries, and included Russian-language comments in its code, suggests that the operators are of Russian origin.

CrowdStrike emphasizes that the takedown of the GlassWorm botnet serves as a wake-up call for every organization that ships or consumes software. They note that attackers are no longer just targeting products, but are instead targeting the developers who build them.



About Author

en_USEnglish