Glupteba Malware

Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.

Read the Security Report Request a Demo

How Does It Work?

Glupteba commonly infects computers by disguising itself as desirable software available for download. For example, a common infection method is to substitute Glupteba for a free download of cracked software. Alternatively, Glupteba is also commonly deployed by exploit kits.

Once installed on a computer, Glupteba provides the attacker with backdoor access to the infected machine. It uses the HTTPS protocol to communicate with its command and control (C2) servers, enabling it to protect its C2 data with encryption and to conceal it amongst legitimate C2 traffic.

By default, the malware has a few C2 servers that it communicates with. However, it also provides an unusual mechanism for the malware to identify backup C2 servers if the primary ones are unavailable.

On the Bitcoin blockchain, the attacker controls a few different accounts that include backup domains in their transactions. These domains are encrypted using AES 256 and a secret key embedded within the Glupteba malware binary. If the malware can’t reach its primary C2 servers, it can check the Bitcoin blockchain’s ledger for additional domains.

Some variants include the ability to spread laterally through an organization’s network using the EternalBlue exploit. This exploit was famously used by WannaCry and takes advantage of vulnerabilities in Microsoft SMBv1.

Glupteba Malware Capabilities

Glupteba is designed as modular malware, meaning that it can download and deploy code that implements various capabilities. Some of the most common malicious capabilities used by the Glupteba malware include:

  • Malware Dropping: Glupteba is a trojan designed to gain initial access to a target system. Once installed on the system, it can be used to deploy and execute additional malware to achieve the attacker’s goals, such as ransomware or infostealers.
  • Credential Stealing: The malware collects and exfiltrates user credentials and cookies from infected computers. These can be used to log into user accounts or take over existing sessions with websites by using the information contained within cookie files.
  • Cryptocurrency Mining: It can enroll infected machines in a cryptocurrency mining botnet. Cryptomining botnets use the computational resources of infected machines to find valid blocks on Proof of Work blockchains and earn rewards for the malware operator.
  • Malvertising: Some Glupteba variants install browser extensions that are used to deliver malicious ads on the infected computer. These ads can be used to make money for the attacker, steal data, or deploy additional malicious functionality.

Impacts of a Glupteba Infection

As a modular malware variant, Glupteba can achieve various objectives on an infected computer. Some of the most common impacts of a Glupteba infection include:

  • Follow-On Attacks: Glupteba is often used as a downloader and dropper for other malware. This means that a Glupteba infection could lead to a ransomware infection, data breach, or other security incidents.
  • Account Takeover: Glupteba malware is designed to steal user credentials and session cookies from infected machines. This authentication data can be used to gain access to a user’s online accounts or other systems, enabling the attacker to steal sensitive data or take other action using these compromised accounts.
  • Resource Consumption: The malware is commonly used to deploy cryptomining functionality on an infected computer. Cryptominers waste a computer’s resources by using them to mine blocks for a Proof of Work blockchain.

How to Protect Against Glupteba Malware

Glupteba uses various means to infect a computer. Some security best practices that help to protect against Glupteba infections include:

  • URL Filtering: Glupteba is commonly deployed via malicious sites, so blocking visits to known-bad URLs can help protect users from downloading Glupteba.
  • Content Filtering: Glupteba is mostly delivered via a malicious download. Scanning downloads for signs of malware can help to block these attacks.
  • Security Awareness Training: Often, Glupteba masquerades as cracked software and other suspicious downloads. Security awareness training can enable users to identify and avoid these threats.
  • Vulnerability Patching: Some variants use EternalBlue or other exploits to spread within a network. Keeping systems patched and up to date can help to close these potential infection vectors.
  • Endpoint Security: Glupteba is a well-known malware variant. An up-to-date endpoint security solution should identify and block Glupteba infections before they pose a threat to the organization.

Glupteba Malware Protection with Check Point

Glupteba is a trojan malware that poses a significant threat to organizations. However, companies face various other cybersecurity threats as well. Learn more about Glupteba and other leading malware threats in Check Point’s 2022 Cyber Security Report.

Check Point’s Harmony Endpoint provides comprehensive protection against Glupteba and other major threats to corporate endpoint security. Learn more about Harmony Endpoint’s capabilities by signing up for a free demo.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK