Cybercrime , Fraud Management & Cybercrime , Legislation & Litigation

Google Wins Court Order to Block CryptBot Infrastructure

The Info Stealer Is Distributed Through Cracked App Sites
Google Wins Court Order to Block CryptBot Infrastructure
Inside the crypt of San Antolín in the Cathedral of Saint Antoninus in Palencia, Spain (Image: Valdavia/CC BY-SA 4.0)

A federal judge sided with Google in a bid to block online infrastructure behind an info stealer masquerading as legitimate versions of the Chrome browser and Google Earth Pro.

The Silicon Valley giant obtained a temporary restraining order blocking internet traffic from reaching hundreds of web domains used as command and control for the CryptBot botnet and for distributing cracked software. Applications freed from copyright restrictions are common methods of malware distribution (see: Would-Be Software Pirates Served Malware Through 'NullMixer').

The order is valid for 14 days or until it becomes permanent following a court hearing scheduled for May 4.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Google in its newly unsealed complaint names three individuals in Pakistan as being primarily responsible for a network of more than 150 websites such as mazterize.net that distribute license-free versions of software including Google apps, which are free to use. The three men ran a company called 360Installer, whose web page now displays this message: "We regret to inform you that our business is permanently closed." The lawsuit also says 15 unidentified individuals were responsible for operating the CryptBot malware.

Google says 360Installer previously advertised that it paid affiliates $2 per installation of a cracked software application.

Of the 161 active domains associated with 360Installer, Google says approximately 90 were associated with the delivery of malware and about 29 are associated with CryptBot. The computing giant also identified hundreds of domains used by CryptBot as command-and-control sites, including domains such as nekrvw111.top. All the malicious domains used the .top top-level domain, which has been active since 2014.

CryptBot was first discovered in 2019 and made a resurgence in early 2022. Google estimates it infected 670,000 computers during the last year. Cybersecurity firm AhnLab in 2022 spotted a newly improved version of the info stealer on cracked software distribution web pages. The malware checks infected computers for installations of Chrome and extracts information from them, including logon credentials and cryptocurrency account information.

"We're targeting the distributors who are paid to spread malware broadly for users to download and install, which subsequently infects machines and steals user data," the tech giant said in a blog. "Cybercriminals often operate like businesses, specializing in a particular function, and partner with other criminal specialists to profit off harm to innocent users," the blog says.

Google in its complaint sited a slew of federal statues it said named and unidentified defendants had violated, including the main statute against organized crime - the Racketeer Influenced and Corrupt Organizations Act. It also accused defendants of infringing on its trademarks and of violating the main U.S. anti-hacking statute - the Computer Fraud and Abuse Act.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.