Delaware, USA – September 5, 2019 – Glupteba malware is learning new tricks to stay afloat. The malware has been active since at least 2011 and has been used to steal credentials and redirect web traffic to malicious content. Cybercriminals distributing Glupteba most recently mine cryptocurrency and provide proxy services to other hacking groups. Since last year, adversaries started to use malvertising to expand their botnet. Trend Micro researchers discovered new Glupteba dropper, which downloads additional tools, as well as a new mechanism for updating the list of command-and-control servers in the main backdoor. One of the new modules steals a variety of data from browsers: credentials, history, and cookies. The other is designed to detect and attack MikroTik routers in the local network by exploiting the vulnerability CVE-2018-14847. The module retrieves admin credentials and passes them to adversaries to configure SOCKS proxies on the routers to redirect malicious traffic.
Glupteba backdoor almost does not stand out in terms of functionality: it allows you to take screenshots, download and run additional files, exfiltrate data and mine Monero cryptocurrency, but the mechanism for updating information about C&C servers is unique. The malware enumerates Electrum Bitcoin wallet servers and queries the blockchain script hash history to find AES encrypted C&C domain and decipher it using a hardcoded key. The ability to update info about servers is extremely important for threat actors. Last year researchers managed to disable the botnet of 500,000 devices by gaining access to a single server, and now attackers are developing various ways of misuse non-blacklisted resources to restore after C&C infrastructure disabling.
You can use Netflow Security Monitor rule pack for real-time traffic profiling and uncover suspicious traffic spikes: https://my.socprime.com/en/integrations/netflow-security-monitor-kibana