GlassWorm Botnet Takedown
The Takedown of the GlassWorm Botnet
The researchers at CrowdStrike, along with Google and the Shadowserver Foundation, recently took down the command-and-control (C&C) infrastructure of the GlassWorm botnet.
Evasion Tactics and Spread
The GlassWorm botnet utilized various methods to evade detection, including using the Solana blockchain for its C&C infrastructure, Google Calendar, the BitTorrent peer-to-peer network, and traditional servers hosted on commercial virtual private server (VPS) providers as backups.
In addition to leveraging these unique evasion tactics, GlassWorm also employed Unicode variation selectors to hide its code within code editors, making it nearly impossible for humans to spot.
Evolution and Adaptation
Over the course of more than a year, the operators behind GlassWorm continually evolved and adapted, adopting new programming languages, expanding across different package ecosystems, and building redundant infrastructure designed to withstand takedown attempts.
Takedown and Future Implications
The take-down of the GlassWorm botnet highlights the need for increased vigilance and proactive measures to prevent similar attacks in the future.
Origin and Warning
The fact that the malware checked the system’s locale and avoided infecting machines in Commonwealth of Independent States (CIS) countries, and included Russian-language comments in its code, suggests that the operators are of Russian origin.
