BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
55
Global rank
80 infographic chevron month
Month rank
82 infographic chevron week
Week rank
872
IOCs

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Loader
Type
Unknown
Origin
1 January, 2011
First seen
25 June, 2024
Last seen

How to analyze Glupteba with ANY.RUN

Type
Unknown
Origin
1 January, 2011
First seen
25 June, 2024
Last seen

IOCs

IP addresses
187.134.87.130
39.109.117.57
185.82.216.64
104.18.22.210
92.204.137.153
195.2.70.38
135.181.90.114
193.106.191.101
77.238.229.63
91.142.74.28
18.193.123.112
95.211.241.82
185.136.158.83
151.106.0.201
62.112.8.173
83.149.126.1
151.106.13.122
195.154.222.27
78.46.86.122
5.9.108.164
Hashes
fafd658e8aca4e47f6fc9686599d3a792b572978360bb7f6beefdb481032623c
3384ced441b0819a3317f098004baa7302e21aa7f9fc821e0c6bf122afd7fd9a
b0156555d6449edf6ba7c6eec93493ac451a723562713bba049aecc8636689a0
551939669df16ab16dab57cb9c7601afc266b1cd6bf1fcd32c34ae7a5b5c65b3
c0a584ecaed786266d7d8b90c2b1040e8ba405d9b92a31d1d0ece92d15ae9a77
b16f59007a35fb0603eb8bb643c94ae193d2c2d83a0b40962816d3c1d0966a38
272b7775370f5679e4db6c6bc1d23c93236e6e161b0bb5568aaf98fe8a80004c
e894a79b4d82c77c25a755580e751bc9725d0d4c662205a2a1f7838148973c32
8aec9a6d0849cb10d68adb2ac069a69cbd34b099d410ace5756563dcf52fd79a
254262c768b3868845595b59d4cacb9336f398874705bc3e58f7436941ba5b75
1518c86ff96bf2262d26a3fd038146d36d3e6bec5f1d69395b339ea3970b39af
daacf45b89a0052ef5816741fa089526701840ceeb5b0c0a6ad051e928b3cd3f
91618f63de62bf8fc9b4b30fa7f9b3f86e3167fefe23110cc33da1f6a373a7c6
f4f60420340589f8d6a6877905b6aa0a889698ededee6bfba0f7b21173605ba3
8a69a09d8d00881440f9cb83efbb5ffa48cccf6d8703246843f314055485febe
a82eb549a98032bd5eaec1e29cdb11f9f852e9f0fed81a8fc739a74dfeebd430
ae300ff136c4e6c49f14f48f4396ef441bdf6a6c3d4ddd8cb408aa1581d2767e
b36b207faf0c8bd32f207dc5348bb451c671a945c166371618c43dcc61c0d80c
957587ec7fe323188a5aa0a2884ab3a6f04a032dc32eeebf50614a0bf976d16f
a70c9546845b8d594dea7e3e66b9a4c2379a921f7a10731f3a963c7444595765
Domains
rustmacro.ru
porompa.xyz
hotbooks.xyz
bidar.xyz
ostdownload.xyz
brokenlegz.top
x4l2doee6uhhf3lqjvjodgqtxsjvwbkdqyldhwyhwkhf4y23aqq7jayd.onion
novyiperec.xyz
sleepingcontrol.com
getfixed.xyz
mastiakele.ae.org
r5vg4h5rlwmo6oa3p3vlckuvf5na2wb2tnqbsbkivhrhlyze6czlpjad.onion
carcamera.xyz
playfire.online
iceanedy.com
bigtext.club
0df.ru
woproperty.xyz
gfixprice.xyz
portmdfmoon.com
URLs
https://server15.thestatsfiles.ru/api/poll
https://server15.thestatsfiles.ru/api/restriction-us
https://server15.thestatsfiles.ru/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server15.thestatsfiles.ru/api/cdn
https://server2.dumperstats.org/api/poll
https://server2.dumperstats.org/api/restriction-us
https://server2.dumperstats.org/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server2.dumperstats.org/api/cdn
https://server9.thestatsfiles.ru/api/poll
https://server9.thestatsfiles.ru/api/restriction-us
https://server9.thestatsfiles.ru/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server9.thestatsfiles.ru/api/cdn
https://server2.filesdumpplace.org/api/poll
https://server2.filesdumpplace.org/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server2.filesdumpplace.org/api/restriction-us
https://server2.filesdumpplace.org/api/cdn
https://server14.filesdumpplace.org/api/poll
https://server7.filesdumpplace.org/api/poll
https://server14.filesdumpplace.org/api/signature/8e67f58837092385dcf01e8a2b4f5783
https://server14.filesdumpplace.org/api/restriction-us
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 149
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 161
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1630
comments 0

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it is independent malware.

Although Glupteba trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active despite various malware removal programs. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba malware was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time thanks to the malware removal tools until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba trojan anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba malware comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba. You can also analyze other malicious objects like Ave Maria and Smoke Loader.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba trojan execution process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba malware distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs the trojan itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba and it's time to get the malware removal program ready.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy