Glupteba

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Type
Loader
Origin
Unknown
First seen
1 January, 2011
Last seen
11 July, 2020
Global rank
34
Week rank
23
Month rank
25
IOCs
695

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it an independent malware.

Although Glupteba Trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba Trojan comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba Trojan Execution Process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs Glupteba itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

IOCs

IP addresses
192.168.100.169
172.64.101.38
172.64.163.32
192.168.100.222
192.168.100.199
192.168.100.137
192.168.100.151
192.168.100.203
172.64.131.22
192.168.100.64
192.168.100.28
192.168.100.219
192.168.100.25
192.168.100.93
192.168.100.184
192.168.100.70
65.60.62.74
192.168.100.240
104.24.115.204
192.168.100.23
Hashes
d0364485f8e52412a796bbe7c3c4626ce4b2c013ab9cd34fc7f5523554a94fa4
2c9ef24345ea46e23c59bdb827e2e0e203b30f452ee33add7572cd68285ea592
ab23a2725f117deffca18a60403011d4a6d4cedc6650fa4ed09e032c8fc4a96b
7e4f5545e44db9fdf5fc00c997561709707a257cda17de3130f0af6083db3041
456a26160786d6222d5e12101b0c61afb5cb46dfe25ef992a549c1d3c8eb8c2d
23206142f8b64107ece1932758c48b0ebc8e0f1b429fb7947a7ddd6392706049
670eac2327783972bc23bae4c397c606134eaa43c1f0c2f9cb5df3230d337dfb
3a2495dd16c49fd1eb91952b892b97cc564f5241cec81dc1a6d87cea0f6310bd
6da29d5e3fe30ee2fc7abf74c0f600f7b9d9b2b6319dd94b383540edfd4f3aeb
3adeb2547627867e8f54a45ee92756f7417930c5b2505acd25b569f4057d2b17
e8deb89274429efa54e3ca9c4872b582acdaf95b3a9f456dff04723176ff46c9
f3512100dac2d0cf810dcf7c670c2760421b8ac90543b803d7b23666e1d32bc0
cc2d8d3e0839f1c8c03da1a74bce639d6686839376081d59e5cb1ca7ba2187ae
b0f0cf8ed9fb9be74fa0cd23f5dc64178dfeadcf12ebe6b89b783933368cc62d
1eac542d9d59055dc5465c148a901f993705d6effe05c1593ee316d749753668
d21ecf8689f692255d847a99ed61d71b3e78a0afd59d53bcca96e1b24b681194
4ffd09b9727b23ed3b0109a683aac29919e829ed7544fd35ca32f3bf5ce0fefd
f3366645f2236635040226c55f0de4082e2b95770c7928c076a993249e83c467
825f9eae33b7e40da76a4349ca1119b83a0dd58433d737620dcd814bebe7e6a4
b0156555d6449edf6ba7c6eec93493ac451a723562713bba049aecc8636689a0
Domains
majul.com
elx01.knas.systems
isns.net
alireviews-cdn.fireapps.vn
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
ie8eamus.com
weatherwidget.io
topswp.com
cdn.dcodes.net
ip2.adspy.mobi
reorget.com
interestourflash.info
whitecontroller.com
www.dcodes.net
www.dcodes.net
coft.france3cotedazur.fr
abulu.cf
smartlink.cool

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More