Glupteba

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Type
Loader
Origin
Unknown
First seen
1 January, 2011
Last seen
30 March, 2020
Global rank
33
Week rank
22
Month rank
29
IOCs
225

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it an independent malware.

Although Glupteba Trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba Trojan comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba Trojan Execution Process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs Glupteba itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

IOCs

IP addresses
192.168.100.155
192.168.100.107
192.168.100.219
85.10.217.42
5.135.185.13
5.9.108.164
190.2.134.139
136.243.14.152
190.2.154.71
78.46.86.122
134.119.179.45
192.168.100.131
37.187.8.179
172.64.130.22
172.64.131.22
192.168.100.23
104.31.136.11
104.24.115.204
192.168.100.93
185.11.72.44
Hashes
04d71e8af8b5cbec912b82b6ebef7c19c5b888873dfd4609b1e38b2a6c398b2e
1c41fdf95276a4f29d7fa823b43a009d910d7761e106bf6ca27c95626515ae59
222a2388305b7487162ab4b0652c30bf3e80e56b164591613c3402007491116a
7096508d3cfbe0ca6cd4933dc9050011fe8dea0c1f5a8277c065fa84b5ffd1e3
fc3e198e34cb9070854d6f75ef40bfb3d11c231a43e74b33fe584ddb04747822
63a76c2919cef58e21395a7b34155208ed42a03d1c0b25ea6004e23c23c3122b
1f17eada8dea0b9d1fc902de4e5a2f684229882bad4d4a76d5e868a060b81f79
22adb7035a25bc288cb78f323f52c1c33a9e5113b387644da2947a3a1512e64f
db93b563ad9da71d514e4cdbd4f3141172aa3937787a204b890f64385ffe919d
8a305afa4246ffe762dde348af4c76e76ed518f399636fa17d25b5d2e24004c3
1e30509427e2352b21e3a46d4db6d082f00bebbe1308ddf79ca3a6fd104a6367
88aa5735ccbab3cc9a2cda6efb18e2d578b99a5d2f83070fc4354efc6a6140b4
9f69e61e9002aa715a2e0c2fdc462a7b63f8aefdbfc19690497bab569efe11b6
9830fa8a3ad8ce910cc476d18253707073d752e3df02d15081a4315549b1e2ad
fc00d327ff346f3507bdce4516365089e6b75e0ac71f06d05d0ae3928f742e45
f650bf0ada7902c0a2a39a09104394eaa9a814f0f93122f2b65f46e76d0c7df8
0521e846a012f9d1dc9c74aca6ee5b7bb9a36da3e960602a476788103e70d26b
d7ed220aa8f035b9ea5f6d5107a0aeca11559c8b7098761d77e50c7e20afe4c4
71680b69cd8259796881432bdb1a2cd33c3948b637ed22d95aa4417d58eb4517
c4a8b98a88d9bb78cc0053ab759e40648107ad74e377b632276ff8b3685a5bf1
Domains
majul.com
elx01.knas.systems
isns.net
alireviews-cdn.fireapps.vn
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
DFBB5F41-803A-4E0F-A2E7-FB5F38E653FB.server-17.bcyq.ru
ED18DB6A-A7B9-4689-A41F-535C16FE6156.server-66.flrz.ru
3EA36F7C-A20A-47DF-A1E9-7C93FBECC140.server-6.xxtxgoal.mobi
B44E51A7-D1F3-4F27-9547-547FEA29C36A.server-50.bcyy.ru
B44E51A7-D1F3-4F27-9547-547FEA29C36A.server-57.wtre.ru
62514BA5-27D8-4264-B9E3-EA6258BDDDB7.server-4.qxzi.ru
reorget.com
E57BEB50-3C4A-47EB-93E8-84E7D22D0DC9.server-22.bcyi.ru
C80C1038-405D-4C32-9E5B-A8F59B671E29.server-86.bczx.ru
2C3CCB33-7540-45B7-9300-0BB17A2C6574.server-5.xtxpics.best
D66389E3-C853-421B-84D1-615797963878.server-8.xtxpics.best
ie8eamus.com
C80C1038-405D-4C32-9E5B-A8F59B671E29.server-86.iyop.ru

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More