Google shuts down CryptBot malware operation that stole Chrome's user data
Putting an end to a worldwide cybercriminal enterpriseBy Alfonso Maruccia
What just happened? The CryptBot gang was targeting users of the Chrome web browser, so Google decided to put an end to its major distribution network. A recently-granted court order gives Mountain View the ability to erase CryptBot-related domains from the internet.
Cryptbot is a well-known security threat designed to identify and steal sensitive information from victims' computers, including passwords and authentication credentials, social media account logins, cryptocurrency wallets, and much more. In the past 12 months alone, the malware infected approximately 670,000 computers, as the cyber-criminals behind it targeted users of Google Chrome to try and steal their data.
The CryptBot infostealer provides cybercriminals with sensitive data that can be later sold to bad actors working in the data breach "business," and malware distributors play a major role in the entire operation. The actors try to spread the CryptBot infection by making maliciously modified versions of legit software packages available on the web, then inciting unsuspecting users to download and install said packages so that they unknowingly infect their machines.
Recent CryptBot versions have been designed to specifically target Chrome users, so Google decided to involve its CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) teams in an investigation against the malware distributors. The researchers were eventually successful in their pursuit, as Google now says that CryptBot's major distributors are based in Pakistan and "operate a worldwide criminal enterprise."
The Mountain View corporation filed a series of legal complaints against the distributors, including claims of computer fraud and abuse, and trademark infringement. In the past few days a Southern District of New York court granted Google a "temporary restraining order," which the company can use to support their "ongoing technical disruption efforts" against the distributors of the CryptBot malware and their online infrastructure.
The court order allows Google to take down current and even future domains related to the CryptBot distribution, which, according to Google, will greatly help in slowing down new infections while decelerating the growth of the CryptBot threat.
Google stated that this kind of legal action can be pretty effective against security threats abusing legit software like the Chrome browser. The company did the same thing against the alleged operators of the Russia-based Glupteba botnet in 2021, eventually observing a -78% reduction in Glupteba infections.