Glupteba is a Trojan horse that downloads and executes potentially malicious files on the compromised computer. Several variants of Trojan Glupteba with updated functionalities are reported. This Trojan arrives on a system as a file dropped by other malware or by exploit kits when users are being unknowingly routed to malicious sites. Generally, the malware installs itself as a service and enables persistent mechanisms on the victim machine posing as updation legit software. The malware communicates to hardcoded IP addresses and ports.

The IP list may contain legit/compromised resources as well.

Types and source infection

Trojan.Glupteba is usually dropped by exploit kits. It can download and install further malware and add the affected system to a botnet. It has the tendency to pretend to be an updater for legitimate software.

Glupteba dropper delivered from the malvertising attack, the dropper downloaded two undocumented components aside from the Glupteba malware:

  • A browser stealer that can steal sensitive data, for example, browsing history, website cookies, and account names and passwords from browsers and send the information to a remote server.
  • A router exploiter that attacks MikroTik routers in local network with the CVE-2018-14847 It will schedule a task on the router for command and control (C&C) and upload the stolen administrator credentials to a remote server. A compromised router will be configured as a SOCKS proxy to relay malicious traffic, matching the original purpose of the Glupteba botnet on Windows.

Recommendations:

  • CERT-IN recommends monitoring activity to the IP(s) / Domains as a potential indicator of infection.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Restrict execution of Powershell /WSCRIPT in enterprise environment Ensure the installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution. Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.

For More cybersecurity information contact us at help@theweborion.com