Glupteba

Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for.

Type
Loader
Origin
Unknown
First seen
1 January, 2011
Last seen
21 October, 2021
Global rank
35
Week rank
29
Month rank
34
IOCs
3469

What is Glupteba malware?

Glupteba is a dropper — it is commonly used to install other malware samples on infected machines. Although it was initially thought that Glupteba was developed to be a part of a malicious campaign codenamed Operation Windigo, researchers now believe that it is independent malware.

Although Glupteba trojan classifies as a dropper it has some additional dangerous functions. For example, it has the ability to steal information from infected systems. In addition, it can download a component that is able to control routers and relay traffic.

Furthermore, it seems that this malware is under active development and creators employ dangerous and rarely used techniques to keep their creation active despite various malware removal programs. The reason is probably behind their presumable move to a pay-per-install distribution scheme which means that they must keep the malware relevant to profit from it.

General description of Glupteba dropper

Glupteba malware was first spotted in the wild in 2011 when it was distributed by TDL-4 bootkit among a series of other malware types. The virus went quite for a long time thanks to the malware removal tools until it surfaced again three years later. This time Glupteba was seen in Operation Windigo.

In addition, researchers discovered that command and control domains of Glupteba dropper were hosted on the same machines that powered parts of the Operation Windigo infrastructure. However, the exact connection between Glupteba and Windigo is unclear.

Until recently we didn’t hear much about Glupteba trojan anymore before it surfaced again carrying new, dangerous functionally.

Today, apart from the main dropper functionality Glupteba malware comes with two components: the browsers stealer component and the router exploiter.

The browser stealer comes in two versions that target Chrome, Opera, and the Yandex browser. The malware is capable of stealing cookies and browser history as well as private login credentials.

Then there is the router exploiter component. It exploits the CVE-2018-14847 vulnerability to take control of the routers. This allows attackers to turn compromised routers into SOCKS proxies, which redirect traffic from compromised machines. Thus, infected routers can become relay points for spam distribution and more.

For instance, there is a theory that some of the relayed traffic is part of an attack on Instagram, though it is impossible to tell for sure due to the HTTP encryption.

Malware analysis of Glupteba

The video generated by the ANY.RUN interactive malware hunting service shows the execution process of Glupteba.

process graph of the glupteba execution Figure 1: This graph generated by the ANY.RUN malware hunting service shows processes started by Glupteba Trojan

text report of the glupteba analysis Figure 2: A customizable text report created by ANY.RUN

Glupteba trojan execution process

After Glupteba makes its way into the system it's starts CMD.exe process to run CompMgmtLauncher.exe ("Computer Management Snapin Launcher"). The malware uses CompMgmtLauncher.exe to bypass UAC and run itself with administrative privileges. After that, it typically adds itself to autorun in the registry, renames an executable file and copies it to Windows subdirectories. Glupteba also checks the system for anti-malware solutions, adds firewall rules and defender exclusions. In addition to the above, this malware also adds itself to Schedule Tasks to persistence in the infected system. Throughout its lifecycle, Glupteba exchanges packets with the C2 server and has the ability to download other malware.

Glupteba C&C communication

Glupteba has a rather unique trick up its sleeve that involves no other than the Bitcoin blockchain. It can use transactions in the Bitcoin network to receive C&C domains. This function is triggered on schedule or by demand if there is a need.

It enables the attackers to pass new C&C domains to the malware, allowing it to restore operation by reconnecting to a new domain if something happens to the old one.

Glupteba malware distribution

It should be noted that Glupteba has a very wide distribution range. Since 2017 it has been spotted in 180 countries, though almost one-third of the attacks were concentrated in Ukraine, Russia, and Turkey.

In the past, the malware was distributed using the infrastructure provided by Windigo’s, however, currently, it is using its own botnet and employes CsdiMonetize adware. The latter downloads another dropper which, in turn, installs the trojan itself.

How to detect Glupteba using ANY.RUN?

Since Glupteba adds records into the registry, analysts can detect it by looking at registry keys. To do so, choose the process by clicking on it in the process tree of the task then click on the "More info" button. In "Advanced details of process" window switch to the "Registry changes" tab and take a closer look. If the analyzed sample writes a key with the name "UUID" into the key HKEY_CURRENT_USER\Software\Microsoft\TestApp, you are dealing with Glupteba and it's time to get the malware removal program ready.

how to detect glupteba Figure 3: Changes Glupteba made in the registry

Conclusion

Glupteba is proving to be a rather dangerous malware that researchers and cybersecurity specialists should not take lightly. Besides its ability to install other malware samples on infected machines, the malware is capable of stealing information from web browser applications. It can also download a component that reroutes traffic by taking control of web-routers.

We also know that this malware uses unique techniques when it comes to C&C communication. And if that was not enough, evidence suggests that it is in active development and attackers seem to be adding more potentially destructive features.

ANY.RUN has prepared a selection of advanced tools that allow to dissect and study a sample of Glupteba in an interactive sandbox environment which gives the researcher an ability to pause the simulation and make corrections at any time. Hopefully, by studying this threat along with many others we will be able to medicate the consensus of future malicious attacks.

IOCs

IP addresses
192.168.100.191
192.168.100.107
208.100.26.245
63.251.106.25
63.251.106.25
192.168.100.44
192.168.100.39
192.168.100.65
192.168.100.173
107.6.177.186
192.168.100.51
192.168.100.105
192.168.100.42
192.168.100.23
192.168.100.3
192.168.100.227
192.168.100.196
192.168.100.108
192.168.100.109
185.61.150.87
Hashes
dd9bc7f3db6735c61a7ab284fdd2fe55dc06b391fbe4106d41fc57809ba81133
8c0de23d4fee16d059393ce9e50c40ba7e20fd2649a3f94fa1c34ef815e597e4
df84d3e83b4105f9178e518ca69e1a2ec3116d3223003857d892b8a6f64b05ba
3f2fe1d2857ba3eba92108104c95c0d4908b5aaa5677ba53c251a16714923a6b
c2e650d8da9af0eadfb6f8b58b92260f87c00fc0d9c8c7e76d50227dcb569fd8
561ca2fcd5becf44e21434a4388e6842aaf4b36e9aba6a70f2069b1ea5ceefb8
dc734f8e88816187241505facef6c0b15d00d2bd804b670867daac24009a871f
e4d21193698304f9fb040bacba4f86c47ab73ecc5d36f7c3b83d9b1c3afcb3c5
86295c66537a5059b5b6348fcc39711c849a79110478be236cfd56b5b285e711
a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86
e1db6b01bda84f55193f577c0a8e8fbf3cf6de46d540f4896c82828654143027
baa23ac04887086b2e980be35ae480efbce89ea9c1f9b6515378e4575fa811e1
4b4bd4e5c4830942b13c513f84011aadd90a299b49ca321cc0724d75ed24c2ed
9f9194587a5015787a532747dba06636a1c0fb52b269c7204a53d285fb11e91e
1b31b8614b0bb43cb9a0173967d3dd5367059158208785d7f5b3396982878e0c
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
a56339971545ae2856aae33927db96353744aa2eb34c256faa5f97323c4b44de
d1d180c391c89c9deda1d7dd06a74aa394312a52e7298213d687d262d7837e1b
ccf71d35f4da680ecf30de2c8a7d147fd9ff8e6c7e4d497634c6285d6eac56a3
669fc993d8dd72286f58867c9b8011dd24f3236f8a1cb81258fb4bd607b5f3f8
Domains
isns.net
tollyplay.biz
kikedeoliveira.com
samnewbyjax.com
server-27.prostiforum.com
vewrawawre.info
seuufhehfueughem.top
933d9c2ead4e10f8782b79a7f587a100.online
faugzeazdezgzgfh.top
seuufhehfueughes.top
xhxt2016.com
play.xhxt2016.com
xbojztzryfx.info
mtmoriahcogic.org
htcltkjqoitnez5slo7fvhiou5lbno5bwczu7il2hmfpkowwdpj3q2yd.onion.top
54f331026c.pw
mbitspctools.live
98eef771544c4d260d0362f6ada724dc.com
a.98eef771544c4d260d0362f6ada724dc.com
feauhueudughuurk.top

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More