Skip links

Google sues CryptBot slingers, gets court order to shut down malware domains

Google said it obtained a court order to shut down domains used to distribute CryptBot after suing the distributors of the info-stealing malware.

According to the Chocolate Factory’s estimates, the software nasty infected about 670,000 Windows computers in the past year, and specifically targeted Chrome users to pilfer login details, browser cookies, cryptocurrencies, and other sensitive materials from their PCs. 

A New York federal judge this week unsealed a lawsuit that Google filed against the malware’s slingers; the US giant accused the distributors of committing computer fraud and abuse, and trademark infringement by using Google’s marks in their scam. The court granted Google a temporary restraining order, which allowed it to shut down the bot operators’ internet infrastructure.

Usually in this sort of case, Google gets to take its restraining order to the registrars and registries of domain names used to spread malware, and get those domains disabled or handed over.

“Our litigation was filed against several of CryptBot’s major distributors who we believe are based in Pakistan and operate a worldwide criminal enterprise,” said Google’s Head of Litigation Advance Mike Trinh and its Threat Analysis Group’s Pierre-Marc Bureau.

The restraining order will “bolster our ongoing technical disruption efforts against the distributors and their infrastructure,” they added. “This will slow new infections from occurring and decelerate the growth of CryptBot.”

The remote-controlled malware steals sensitive information from victims’ computers, including authentication credentials, social media account login details, credit card info, digital currency wallets, and other private info that criminals can then sell on marketplaces or use in future fraud and intrusions.

The distributors targeted in the lawsuit operated websites that lured unwitting users into downloading malicious versions of Google Earth Pro and Google Chrome, we’re told. Those marks thought they were getting the real deal, but instead they are fetching versions stuffed with the info-stealer malware. Once they install the software on their computers, they infect their machines with CryptBot.

“Recent CryptBot versions have been designed to specifically target users of Google Chrome, which is where Google’s CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) teams worked to identify the distributors, investigate and take action,” Trinh and Bureau said.

The CryptBot infrastructure takedown comes about five months after Google won its year-long legal battle against the alleged Glupteba botnet operators, who were based in Russia.

According to Google, Glupteba compromised “millions” of Windows devices. 

Google sued Dmitry Starovikov and Alexander Filippov – along with 15 other John and Jane Does – in December 2021, saying in the original complaint [PDF] that the botnet “is distinguished from conventional botnets in its technical sophistication: unlike other botnets, the Glupteba botnet leverages blockchain technology to protect itself from disruption.” ®