Glupteba

46
Global rank
41
Month rank
49
Week rank
9306
IOCs

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Loader
Type
Unknown
Origin
1 January, 2011
First seen
12 May, 2023
Last seen

How to analyze Glupteba with ANY.RUN

Loader
Type
Unknown
Origin
1 January, 2011
First seen
12 May, 2023
Last seen

IOCs

IP addresses
35.205.61.67
192.168.100.124
192.168.100.116
192.168.100.44
63.251.106.25
63.251.235.76
192.168.100.69
104.18.22.210
104.18.23.210
192.168.100.155
192.168.100.220
192.168.100.5
192.168.100.222
192.168.100.144
192.168.100.42
192.168.100.133
192.168.100.137
192.168.100.51
192.168.100.202
72.251.233.245
Hashes
561ca2fcd5becf44e21434a4388e6842aaf4b36e9aba6a70f2069b1ea5ceefb8
fd311b9f408e182ea7795f3405b1a30f160f6b531b32b64f6751267249991d7f
40c91cec5216f089aea5a500935d826c71c616a854b3bcbeaf2c1cb6fe27c261
5de0e1ddcb985d220f46d07a54878fd3b2922586c24ee6ac09525b71a9a279b6
b68fed03d5d09e099184e6444111000fd75ed35b7c05db690385ea4caff2023e
d7d83bb4f83f7557765712b2c4999a6288c23507a29abcf6fdee7bb41368ddba
73fcf604cacbac2efdc4ac94249aa6fd93cd3f90905bef190114e135a1fbc35a
d79c60fd9de581294921df7d5cbcf3bb5a784d38eeba801985ca4acde337ca26
7e4f5545e44db9fdf5fc00c997561709707a257cda17de3130f0af6083db3041
9c1c59a0be7585ad2ad965c88658df225530b016aa815cfc51389edd119ad2f5
11d28b80dcf21adb7cac256c04a9a835e07fafaa9b35ac11830a3a6eb6ad6a72
78bb0c913d0142a3d84762917dbbabc4105d43b81c02b1e6bd57347d85c9a2c2
fc3e198e34cb9070854d6f75ef40bfb3d11c231a43e74b33fe584ddb04747822
0521e846a012f9d1dc9c74aca6ee5b7bb9a36da3e960602a476788103e70d26b
c48a03f604c472feea5828cb5d92e69d9a89dd4a1f325b1f4f4fdd82078beca0
00c6dc13ce0099054a38d39ae570d4dc1c3ec6c57273293fc9ce8dde2a328fcc
214e29dac8dc1b0acd43623393f6a3ff7f53bab98071b20be341fe938a7bc146
9f8cccecbc476eed57ad5e171c5e2556bcc37c7fa0af9530be7d529858b67ee8
976ddc3c0853f75f24732920c4f2d315f0b098bbcfa492b06a3dd2e6bc85f37d
05e5c19995749dc79abc68e52f083e0e6c71f67e30aa40bb55df4c64e9a8c995
Domains
survey.feedbackly.com
olweb.maxcdn.info
www.dcodes.net
interestourflash.info
cdn.maxcdn.info
bount.com.tw
elx01.knas.systems
majul.com
blokefeed.club
isns.net
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
cyberchef.io
genbicta.com
fionades.com
pluto.iziis.ukim.edu.mk
www.ytdl.info
www.hencountrydo.org
fwiwk.biz
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it is independent malware.

Although Glupteba trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active despite various malware removal programs. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba malware was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time thanks to the malware removal tools until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba trojan anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba malware comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba. You can also analyze other malicious objects like Ave Maria and Smoke Loader.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba trojan execution process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba malware distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs the trojan itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba and it's time to get the malware removal program ready.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy