Example analysis of Glupteba malware variants

Recently, cyberattacks involving the malware glutteba were discovered. This is an old malware that was discovered in an attack campaign called "windigo" and spread to Windows users through a vulnerability.

In 2018, a security firm reported that Glupteba had acted independently of Windigo and moved to a pay-per-install adware service. Glupteba activities have different purposes: providing proxy services, exploiting vulnerabilities for mining activities, etc.

After researching recently discovered variants of Glupteba, we discovered two undocumented components outside of Glupteba malware:

1. Browser Stealing Program that can steal sensitive data from browsers, such as browsing history, website cookies, account names, and passwords, and send the information to a remote server.

2. Use the CVE-2018-14847 vulnerability to attack the Mikrotik router in the local network. It uploads stolen administrator credentials to the server. The router will be used as a proxy relay.

In addition, we also discovered in Glupteba that he can use Bitcoin transactions to obtain the latest C&C domain name. We will explain this feature further in the next section. Malware developers are still improving their software and working to extend their proxy networks to IoT devices.

##Glupteba download analysis

This paragraph can be rewritten as: Custom packaging The program is written in the Go programming language and compiled into an executable file that is used to package the downloaded binary. When initializing configuration information, you must first obtain the current application information, operation information, hardware information and some hard-coded binary information. It creates the registry key hkey_users\\software\microsoft\testapp to store all the obtained information. The result of running the initialization function is shown in the figure below.

The sendparentprocesss function gets the machine_guid from the registry and gets the distributor id and activity id from the file name, pid, and name of the parent process. The program embeds the information in the POST request using the AES encryption algorithm and uploads it to the C&C server.

Then check if the process is elevated and running as the system user. When a process is not elevated, it attempts to increase privileges using the fodhelper method. If it is not running as the system user, it will be launched using the "Run as trusted installer" mode.

There are the following main commands:

The function mainstall checks the installed anti-virus program, adds firewall rules, and adds Defender exclusions.

The function mainpoll periodically polls the c&c server for new commands. The following are the POST parameters that have not been encrypted by AES:

challenge=e94e354daf5f48ca&cloudnet_file=1&cloudnet_process=1&lcommand=0&mrt=1&pgdse=0&sb=1&sc=0&uuid=&version=145&wup_process=1&wupv=0.

Finally, the function handlecommand implements the backdoor function.

C&C Update Capabilities

The backdoor has most of the standard functionality, the malware can update it via the blockchain via the discoverdomain functionality c&c server address.

The discoverDomain function can be executed automatically or run through a backdoor command. discoverdomain first enumerates the electrum bitcoin wallet server using a public list, then attempts to query the history using a hardcoded hash.

Browser stealing information component

The component found in the glupteba variant is called "updateprofile", which is a browser configuration file and cookies and password extractors. Information collection servers collect compressed cookies, history and other profiles. This component is also written in Go, compiled to executable, and packaged with upx.

Another version of the browser stealer is called "vc.exe". It is designed to extract password and cookie data stored by the browser and send it to the information collection server.

Router attack component

Another component we found is the router attack component, which is also developed in go language. It can view the default gateway of the victim network and get the list of default IP gateways by calling the wmi command "select defaultipgateway from win32_networkadapterconfiguration where ipenabled=true".

In addition to these addresses, the following three default addresses have been added: 192.168.88.11, 192.168.0.1, 192.168.1.1.

Once the component successfully connects to the device listening on port 8291, it attempts to attack the device by exploiting the CVE-2018-14847 vulnerability, which affects the Routeros system used on Mikrotik routers. It allows attackers to obtain administrator credentials from unpatched routers. The obtained account name and password are stored in a json object, encrypted, and sent to the c&c server.

After successfully obtaining the credentials, a task will be added to the router's scheduler. There are three ways to add a scheduler task: using the winbox protocol, using ssh, or using the api.

Router Traffic Relay

After the above settings, the router becomes a SOCKS proxy for the attacker to relay traffic. An attacker could have the server route the first remote connection through the socks proxy. This server query returns the IP address of the current SOCKS proxy server. This query is sent repeatedly, probably to monitor the SOCKS proxy service.

After the first check of router status, there are two types of traffic connecting to different servers of the proxy. The first is spam traffic. Using the router's socks proxy, the remote server connects to smtp from multiple different mail servers. If the mail server accepts the connection, the remote server will start sending spam.​

In addition to the spam traffic, there is also other traffic from a set of remote servers that repeatedly connect to Instagram. Because the traffic is protected by HTTPS encryption, we are unable to determine the exact purpose of these connections. It is possible that it is a password reuse attack on Instagram.

Security Advice

Malware is a widespread threat that affects users and businesses. From gateways, endpoints, networks and servers, a multi-layered approach to security is important.

Since most home and office devices are connected to routers, security should be a priority when setting up your router. Users and businesses can adopt good security measures to protect against threats. In addition, use relevant tools to add an extra layer of security to your home network and connected devices, further strengthening your security defenses.

The above is the detailed content of Example analysis of Glupteba malware variants. For more information, please follow other related articles on the PHP Chinese website!