Glupteba

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Type
Loader
Origin
Unknown
First seen
1 January, 2011
Last seen
18 February, 2020
Global rank
32
Week rank
19
Month rank
23
IOCs
193

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it an independent malware.

Although Glupteba Trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba Trojan comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba Trojan Execution Process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs Glupteba itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

IOCs

IP addresses
104.24.96.76
192.168.100.131
104.31.137.11
104.31.136.11
192.168.100.93
192.168.100.28
192.168.100.23
192.168.100.219
104.24.105.206
192.168.100.44
192.168.100.116
109.236.80.43
192.168.100.203
172.64.130.22
172.64.130.22
104.31.133.11
192.168.100.25
172.64.131.22
104.24.96.206
172.64.163.32
Hashes
6197e9d2cfada74847dd8d91bfc6918024be3a9f9604c0c66efb57eb92e6f406
c33051bdd518a4a41de46d23ce6eac4ef941b77b7f9183aeff3ecf6eed699f44
04797c6a8341974ba73fa16ab1cca9a84973c68d60ac92bdd20f44310d4cfffa
03009a5d06bfba5887146a48500ebc880a427831fe1a73dd0f4cd328ea5aacf0
a431133a716f190ef6201c9601fa1ee43aef34dd46d0d873a2587a5041dbdf11
6ef337b300118613f2d194e37af3f4e52e242f3414937784d35a53072e22acb0
75ce4a2e35d3cc04be3fec9df48282b6f27f9c9fe8f4fff4ba03f1570cdb370f
0870c55985529208ea06d12c6b7b1ea4083ca07d8572d29b7e5362575441dfba
32da526e3087e3b8a3ee6682c43d1949f35632530b26be1d96fed653ae77cea8
c2ca148808057b9e2dded5c6b887c3f700d5b35344b49c6fbe012451a09b7b62
cfcee9378aacb84c082b3e8e6f249baa66f9758ecd0709e8d1a5b618396a1d5e
a82eb549a98032bd5eaec1e29cdb11f9f852e9f0fed81a8fc739a74dfeebd430
caed6813b3a4c0ea0dc9ec279f25e95cb2fee7b1ef282eb7b4765eb5543057ad
5b27906dd0c4e9783014bd5b60e15c204d9dbd9c2d7bcd64a7a327f6be3a9559
ccdb0e0edc95afc2990e1d3534a77fd8d58039874afaf0ad52eeb9680f85e802
6f0307c57fd1c37bb46e667df39a8d31dc940fb0b3d494763ee3de9058c1b9cd
b82ceb8d028b0b73ba114d15822beb8d9757c7fc9e38ee40fbd3cd9bc511a51e
2eb903dbc21af15521bf2858618f6d404e2db1f15c529651508fa68f294b156a
13dbc3a07d16964cd99bb3372be74a8b672feec09cfedd64adaba087ea4e6eea
ba17a4cc2aaf2a30a5103f02d795dc12f3ed957fac73486af04c304d471bb3e0
Domains
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
ie8eamus.com
elx01.knas.systems
whitecontroller.com
smartlink.cool
apiurl.org
tm.tknpm.com
tknpm.com
topswp.com
reorget.com
cdn.maxcdn.info
olweb.maxcdn.info
feed-6003.codemylife.info
interestourflash.info
happynewyeareve2019quotes.com
f14web.com.ar

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More