Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet

Key Points:

• CrowdStrike successfully executed a takedown of the Glassworm botnet, which targeted software developers through compromised open-source supply chains.
• The attack impacted various systems including Windows, macOS, and Linux, allowing for credential harvesting and remote access via the GlasswormRAT malware.
• Organizations should review network logs for connections to the CrowdStrike-operated IP address 164.92.88[.]210 and utilize provided YARA rules to identify potential infections.

Technical Details: The Glassworm botnet utilized a resilient command-and-control infrastructure that included blockchain transactions, BitTorrent DHT, Google Calendar events, and traditional server connections to maintain operations despite takedown efforts.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - Exploit Public-Facing Application (Initial Access)
• T1078 - Valid Accounts (Defense Evasion)

IOCs Mentioned:

• 164.92.88[.]210 (IP Address)