Home >Operation and Maintenance >Safety >Example analysis of Glupteba malware variants
Recently, cyberattacks involving the malware glutteba were discovered. This is an old malware that was discovered in an attack campaign called "windigo" and spread to Windows users through a vulnerability.
In 2018, a security firm reported that Glupteba had acted independently of Windigo and moved to a pay-per-install adware service. Glupteba activities have different purposes: providing proxy services, exploiting vulnerabilities for mining activities, etc.
After researching recently discovered variants of Glupteba, we discovered two undocumented components outside of Glupteba malware:
1. Browser Stealing Program that can steal sensitive data from browsers, such as browsing history, website cookies, account names, and passwords, and send the information to a remote server.
2. Use the CVE-2018-14847 vulnerability to attack the Mikrotik router in the local network. It uploads stolen administrator credentials to the server. The router will be used as a proxy relay.
In addition, we also discovered in Glupteba that he can use Bitcoin transactions to obtain the latest C&C domain name. We will explain this feature further in the next section. Malware developers are still improving their software and working to extend their proxy networks to IoT devices.
##Glupteba download analysis
The sendparentprocesss function gets the machine_guid from the registry and gets the distributor id and activity id from the file name, pid, and name of the parent process. The program embeds the information in the POST request using the AES encryption algorithm and uploads it to the C&C server.
challenge=e94e354daf5f48ca&cloudnet_file=1&cloudnet_process=1&lcommand=0&mrt=1&pgdse=0&sb=1&sc=0&uuid=&version=145&wup_process=1&wupv=0.Finally, the function handlecommand implements the backdoor function.
Once the component successfully connects to the device listening on port 8291, it attempts to attack the device by exploiting the CVE-2018-14847 vulnerability, which affects the Routeros system used on Mikrotik routers. It allows attackers to obtain administrator credentials from unpatched routers. The obtained account name and password are stored in a json object, encrypted, and sent to the c&c server.
After successfully obtaining the credentials, a task will be added to the router's scheduler. There are three ways to add a scheduler task: using the winbox protocol, using ssh, or using the api.
After the above settings, the router becomes a SOCKS proxy for the attacker to relay traffic. An attacker could have the server route the first remote connection through the socks proxy. This server query returns the IP address of the current SOCKS proxy server. This query is sent repeatedly, probably to monitor the SOCKS proxy service.
After the first check of router status, there are two types of traffic connecting to different servers of the proxy. The first is spam traffic. Using the router's socks proxy, the remote server connects to smtp from multiple different mail servers. If the mail server accepts the connection, the remote server will start sending spam.
In addition to the spam traffic, there is also other traffic from a set of remote servers that repeatedly connect to Instagram. Because the traffic is protected by HTTPS encryption, we are unable to determine the exact purpose of these connections. It is possible that it is a password reuse attack on Instagram.
Malware is a widespread threat that affects users and businesses. From gateways, endpoints, networks and servers, a multi-layered approach to security is important.
Since most home and office devices are connected to routers, security should be a priority when setting up your router. Users and businesses can adopt good security measures to protect against threats. In addition, use relevant tools to add an extra layer of security to your home network and connected devices, further strengthening your security defenses.
The above is the detailed content of Example analysis of Glupteba malware variants. For more information, please follow other related articles on the PHP Chinese website!