Glupteba

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Type
Loader
Origin
Unknown
First seen
1 January, 2011
Last seen
18 January, 2020
Global rank
31
Week rank
24
Month rank
23
IOCs
157

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it an independent malware.

Although Glupteba Trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba Trojan comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba Trojan Execution Process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs Glupteba itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

IOCs

IP addresses
192.168.100.131
192.168.100.203
190.2.136.16
89.38.97.132
5.9.116.104
190.2.135.52
190.2.137.71
5.9.77.173
62.112.8.50
78.46.88.209
78.46.86.122
136.243.139.12
5.9.157.50
62.112.9.83
5.9.108.164
91.121.8.114
144.76.101.29
5.199.161.135
176.9.120.229
95.141.32.141
Hashes
c33051bdd518a4a41de46d23ce6eac4ef941b77b7f9183aeff3ecf6eed699f44
aedd82ddc909333456dc99d13385e631fd12bc6eb14f691696b23bda824064ee
3c167c2d93c7c00f0544de6a130e649d7bd3076d7550a3c3d521bde0e35e3a1f
f4e8a653e82758840769de1e755cda1e19f64a3e25f0f9456ba652ed44f233c3
551939669df16ab16dab57cb9c7601afc266b1cd6bf1fcd32c34ae7a5b5c65b3
1b1a5982e0bdedc8830d6c2cd0aa09033bebe3f084aa6893dc3990ab607081d5
16625b171e38a6d8f4b44e044562ece6229f330f2e0639cd89d657cf16ad583b
f6d4716dea8b519cfa0e1bed0d53731500f5a8e0388291af20b32d2ddbee5c20
c7dd5c4211994d2b538b5f3738da46d107ed455a36a07487c4dbbf6d55e47967
4283706a14bc12fd89168e323d5d89ff6339ed6a69cd07659e5f80fe75ed1945
214e29dac8dc1b0acd43623393f6a3ff7f53bab98071b20be341fe938a7bc146
1426e259f0258b0dd574d0eff1eabc6d6ba9cbcd061daed5823a965d02364c94
7b1073ed6414ba4dcfeca091697e5e77fdb98d3d983d44552e56edcd616ed275
9f8cccecbc476eed57ad5e171c5e2556bcc37c7fa0af9530be7d529858b67ee8
92bb26276e608063e515a7cd89fb3129ea305dd73a76711c95a7e475ec01dee9
fa332b88fa6dfdc81ca296bd3ac9d89ba01c226fd4edd7ee61f459161559f46c
4252c6002e16bcfbb04586dd3614b8f90a48dc48429d306171aff6272e3a27f4
7e2877d12c2f74f9b1676a4b0b2ef8a0a29d2504a87e07a203584bcd767d2fec
957587ec7fe323188a5aa0a2884ab3a6f04a032dc32eeebf50614a0bf976d16f
be341d866627afe5210691bb86622974f9f409b97fa9203110c2cd91356bda24
Domains
venoxcontrol.com
www.ytdl.info
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
dgrniueeixk.dracordocerto.com.br
wwwra3ee0d.dracordocerto.com.br
7B860647-99FD-4FBF-9950-4794855FBE47.server-6.xtxclip.club
4685E600-C4DD-44FD-AD33-65FDA3D4E604.server-7.xtexops.ru
4685E600-C4DD-44FD-AD33-65FDA3D4E604.server-6.xtxmusic.top
3E504E9E-A559-4B1B-8C45-E4DFE716FFC2.server-1.xtxmusic.top
DCAB0911-9476-4258-BBF8-C1A1033A74D5.server-5.xxtxgoal.mobi
8384BCB4-BBD3-4A6E-8D60-6A9FCD378F5F.server-9.xtxmusic.club
49A2DE71-C831-4578-8609-3245747ED846.server-9.xtxmusic.club
98BB517E-5157-4626-A686-4745626615A2.server-9.xxtxmany.best
4711D505-EC22-4269-9DEA-A13CF7DEA32C.server-7.xxtxbest.club
8384BCB4-BBD3-4A6E-8D60-6A9FCD378F5F.server-1.xtxmusic.club

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More