Google sues CryptBot slingers, gets court order to shut down malware domains

Google said it obtained a court order to shut down domains used to distribute CryptBot after suing the distributors of the info-stealing malware.

According to the Chocolate Factory's estimates, the software nasty infected about 670,000 Windows computers in the past year, and specifically targeted Chrome users to pilfer login details, browser cookies, cryptocurrencies, and other sensitive materials from their PCs. 

A New York federal judge this week unsealed a lawsuit [PDF] that Google filed against the malware's slingers; the US giant accused the distributors of committing computer fraud and abuse, and trademark infringement by using Google's marks in their scam. The court granted Google a temporary restraining order, which allowed it to shut down the bot operators' internet infrastructure.

Usually in this sort of case, Google gets to take its restraining order to registrars and registries that are under the court's jurisdiction, and get specific domains used to spread the malware disabled.

Judging from the court order [PDF] Google can not only have domains taken down in that fashion, it can show its restraining order to network providers and hosters to get connections to the servers used by CryptBot blocked; get any of the hardware or virtual machines involved switched off and services suspended; materials that would lead to the identification of CryptBot's operators preserved and handed over; ensure steps are taken to keep this infrastructure offline; and much more.

All in all, the order allows Google to wipe from the internet the systems and websites used by CryptBot's operators to spread their software nasty.

"Our litigation was filed against several of CryptBot's major distributors who we believe are based in Pakistan and operate a worldwide criminal enterprise," said Google's Head of Litigation Advance Mike Trinh and its Threat Analysis Group's Pierre-Marc Bureau.

The restraining order will "bolster our ongoing technical disruption efforts against the distributors and their infrastructure," they added. "This will slow new infections from occurring and decelerate the growth of CryptBot."

The remote-controlled malware steals sensitive information from victims' computers, including authentication credentials, social media account login details, credit card info, digital currency wallets, and other private info that criminals can then sell on marketplaces or use in future fraud and intrusions.

• Dissected: A dropper-as-a-service miscreants pay to push their malware onto potentially 1,000s of victims
• Google wins lawsuit against alleged Russian botnet herders
• FBI and international cops catch a NetWire RAT
• Feds raid dark web market selling data on 24 million Americans

The distributors targeted in the lawsuit – said to be Zubair Saeed, Raheel Arshad, and Mohammad Rasheed Siddiqui of Pakistan – operated websites that lured unwitting users into downloading malicious versions of Google Earth Pro and Google Chrome, we're told. Those marks thought they were getting the real deal, but instead they are fetching versions stuffed with the info-stealer malware. Once they install the software on their computers, they infect their machines with CryptBot.

"Recent CryptBot versions have been designed to specifically target users of Google Chrome, which is where Google's CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) teams worked to identify the distributors, investigate and take action," Trinh and Bureau said.

The CryptBot infrastructure takedown comes about five months after Google won its year-long legal battle against the alleged Glupteba botnet operators, who were based in Russia.

According to Google, Glupteba compromised "millions" of Windows devices. 

Google sued Dmitry Starovikov and Alexander Filippov – along with 15 other John and Jane Does – in December 2021, saying in the original complaint [PDF] that the botnet "is distinguished from conventional botnets in its technical sophistication: unlike other botnets, the Glupteba botnet leverages blockchain technology to protect itself from disruption." ®