SophosLabs reports “Glupteba malware hides in plain sight”

One of the most noticeable trends in cybercrime is the commoditization of attacks, where anything a potential cyber-attacker need is available at a price, including networks of infected devices that can be harnessed for distributing malicious content. SophosLabs has published an in-depth report, “Glupteba malware hides in plain sight”. Glupteba is a backdoor that has evolved into a stealthy and complex malware distribution network.

The SophosLabs report is a technical deep dive into the latest tools, techniques, and procedures (TTPs) used by Glubteba, particularly its ability to avoid detection and secure persistence.

Among other things, SophosLabs researchers noted:

  • Glupteba’s core purpose is to infect a computer in order to deliver additional malware payloads without being readily detected
  • Currently, one of the most common payloads is a crypto miner. However, once installed in a victim’s network it can download and execute additional tools that enable it to:
    • Install rootkits to hide its processes and components
    • Steal browser information by collecting cookies, history, and credentials and sending them to the command and control server
    • Forward network requests by installing its own proxy components
    • Exfiltrate a massive amount of device data, like stored configuration information, OS build number, motherboard serial number, MAC address, disk drive serial number, machine guide, OS install date or RAM
    • Hijack vulnerable routers
  • Glupteba’s developers have spent an inordinate amount of time working on features to conceal the bot from detection:
    • This includes watchers that continuously monitor the performance of Glupteba’s own processes so that they perform without failure (which could then trigger an alert on the network)
    • Adding itself to the exclusion lists for Windows Defender
    •  Stealthily updating, restarting and hiding malicious processes
    • o   Use of the bitcoin cryptocurrency blockchain to covertly update the bot’s command and control server addresses

What to do?

  • Patch early, patch often. That includes your operating system, the apps you use, and any devices such as routers and file storage servers on your own network.
  • Use a decent anti-virus with built-in web filtering. Most malware, including zombie malware, arrives as a series of downloads. Even if you hit by getting the first stage of malware attack, you can still defeat the crooks if you stop the final payload arriving.
  • Stay away from hookey software. Assume that the sort of person who’s willing to steal software such as Adobe Illustrator and give away tools to crack it “for free” is also willing to accept money from crooks to implant malware in their fraudulent downloads.

Luca Nagy, the security researcher at Sophos and lead author of the report, said:

 “The most unscrupulous threat actors design their malware to be stealthy. This means that they strive to stay under the radar and remain in the wild for a long time, performing reconnaissance and collecting information to determine their next move and to hone their malicious techniques. While researching Glupteba, we realized the actors behind the bot are investing immense effort in self-defense. Security teams need to be on the lookout for such behavior. In addition, Glupteba is designed to be generic, capable of implementing a wide range of different malicious activities through its different components and extensive backdoor functions.”


Link to Official Report.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.