|Additional Names||Glupteba dropper|
|Type of Malware||Backdoor Trojan, Botnet, Password-stealing virus, Router exploiter|
|Date of Initial Activity||2011|
|Motivation||Deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet|
|Attack Vectors||Infected email attachments, malicious online advertisements, social engineering, software ‘cracks’, and exploit kits|
|Targeted System||Windows OS|
Known since 2011, Glupteba is a Windows backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
Attacked regular people.
Tools/ Techniques Used
Glupteba malware infects computers by disguising itself as legitimate software or through exploit kits, granting the attacker backdoor access to the compromised system. It leverages HTTPS for encrypted communication with command and control servers, utilizing a few primary servers and employing a unique method to identify backup servers on the Bitcoin blockchain.
These backup domains are encrypted using AES 256 and a secret key embedded within the Glupteba malware binary. In the absence of primary servers, the malware checks the blockchain for additional domains.
Certain Glupteba variants possess lateral spreading capabilities, exploiting vulnerabilities in Microsoft SMBv1, similar to the infamous WannaCry ransomware. The modular nature of Glupteba allows for the download and deployment of various malicious functionalities, including malware dropping, credential stealing, cryptocurrency mining, and malvertising.
The malware can deploy additional malicious code, such as ransomware or infostealers, once it gains initial access to a target system. It also exfiltrates user credentials and cookies to facilitate unauthorized access to user accounts or active website sessions. Furthermore, infected machines can be enlisted in a cryptocurrency mining botnet, utilizing their computational resources to mine digital currency, while some Glupteba variants install browser extensions to deliver malicious ads, enabling the attacker to profit, steal data, or deploy additional malicious actions.