Glupteba

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Type
Loader
Origin
Unknown
First seen
1 January, 2011
Last seen
24 January, 2023
Global rank
43
Week rank
38
Month rank
39
IOCs
9769

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it is independent malware.

Although Glupteba trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active despite various malware removal programs. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba malware was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time thanks to the malware removal tools until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba trojan anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba malware comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba. You can also analyze other malicious objects like Ave Maria and Smoke Loader.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba trojan execution process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba malware distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs the trojan itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba and it's time to get the malware removal program ready.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

IOCs

IP addresses
172.67.146.242
172.64.130.22
192.168.100.51
192.168.100.230
192.168.100.116
192.168.100.117
35.205.61.67
208.100.26.245
63.251.106.25
192.168.100.108
63.251.235.76
172.64.163.32
192.168.100.135
192.168.100.64
192.168.100.105
192.168.100.222
63.251.106.25
192.168.100.69
192.168.100.109
192.168.100.187
Hashes
4d5c31d6d2b1632ea7ac824c64471a3804ad9c08986c444728b198208cab34a4
1c3dd554b300dd814f85ade4721ac256ce67ec4b955fcca011f0b52c3c1e1853
3a514479e2c178f92328e1ac5dca4ad79181ffe20c622dbe36d9d0c9481d87a3
502b74af98bc415bd33f219adf4a07552fc5ea1a3e7b19395ba1a15406c7bd0d
a64fa6009d7b50179cb34d098966f0f308e924501ec3d8677909dd9151325e37
b31df824c7a305f258bc332ae251a1923778bb09853433756959cdd2bda24022
37af044b1baaa5de8b42619c11edfbdb8dc9864cae5c9493464445e65c1c99a8
34917768054a319d17158e7ed486f337abc5566fa77887988204e31bf9b46716
3297524edd890ea83d5aa604cbdf776a281333bd84c207727e938baec72b47be
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36
38837120191cd23110cad69fdd9ebfddef0cdab395d731619f65e3a7823a24f3
69a27509f23964dd1ff7ee0ab28315b05e78cba4f11b1dc7d40e9faa9e27a19e
1413d78e9e5a2d7c99ab112c5d5f5b5d104cc6e0877bc60581bcef25990c2ff5
6a6595880ce130a02d8edbba4da0a2a94dba7928a6185053fcbf70d8ec54ef92
a3c8240b89ec35d5fd17facf5c7ba33247997274c96bc56b67233f4ad392c518
0f58266dde76e2917bfe7a8ab6617a8d5603a4935a76b37f54c5dbaaa7c0e06c
0907da6b0b550231c69e0d2926bf99e5a464fa9d6a6693ce94d68b1a3a2ee1bb
59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
d45718639cc2ea44fa94d80ad765c251755eda022cd65d0cf3b56fa2c2325c21
4441c7d22ac8cbb9af38beac94273eca26fd3afc27aaace54605969612607365
Domains
pluto.iziis.ukim.edu.mk
medastr.com
bascif.com
handous.net
gohaiendo.com
isns.net
www.ytdl.info
majul.com
instatron.net
blokefeed.club
photographypointer.men
videoanalystes.webcam
www.orcus.one
mariamiler.com
jcondotel.com
www.yolandapalhanoimoveis.com.br
emaclick.com
mystroi24.ru
gremlin.studio
yanchengguoji.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy