SYMBOLCOMMON_NAMEaka. SYNONYMS
win.glupteba (Back to overview)

Glupteba

There is no description at this point.

References
2022-03-23The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220323:abuse:6b8c004, author = {Ravie Lakshmanan}, title = {{abuse mikrotik router by GLUPTEBA malware}}, date = {2022-03-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html}, language = {English}, urldate = {2022-03-28} } abuse mikrotik router by GLUPTEBA malware
Glupteba Proxy Glupteba
2022-03-18AvastMartin Hron
@online{hron:20220318:mris:47b15bc, author = {Martin Hron}, title = {{Mēris and TrickBot standing on the shoulders of giants}}, date = {2022-03-18}, organization = {Avast}, url = {https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/}, language = {English}, urldate = {2022-03-23} } Mēris and TrickBot standing on the shoulders of giants
Glupteba Proxy Glupteba TrickBot
2022-01-19ChainanalysisChainalysis Team
@online{team:20220119:meet:b0e3f43, author = {Chainalysis Team}, title = {{Meet the Malware Families Helping Hackers Steal and Mine Millions in Cryptocurrency}}, date = {2022-01-19}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/}, language = {English}, urldate = {2022-01-24} } Meet the Malware Families Helping Hackers Steal and Mine Millions in Cryptocurrency
Glupteba RedLine Stealer
2021-12-07GoogleGoogle
@techreport{google:20211207:complaint:f4ad8d1, author = {Google}, title = {{Complaint for Damages and Injunctive Relief against DMITRY STAROVIKOV and ALEXANDER FILIPPOV}}, date = {2021-12-07}, institution = {Google}, url = {https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf}, language = {English}, urldate = {2021-12-08} } Complaint for Damages and Injunctive Relief against DMITRY STAROVIKOV and ALEXANDER FILIPPOV
Glupteba
2021-12-07GoogleRoyal Hansen, Halimah DeLaine Prado
@online{hansen:20211207:new:d707355, author = {Royal Hansen and Halimah DeLaine Prado}, title = {{New action to combat cyber crime}}, date = {2021-12-07}, organization = {Google}, url = {https://blog.google/technology/safety-security/new-action-combat-cyber-crime/}, language = {English}, urldate = {2021-12-08} } New action to combat cyber crime
Glupteba
2021-12-07GoogleShane Huntley, Luca Nagy, Google Threat Analysis Group
@online{huntley:20211207:disrupting:9fd4ab7, author = {Shane Huntley and Luca Nagy and Google Threat Analysis Group}, title = {{Disrupting the Glupteba operation}}, date = {2021-12-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/disrupting-glupteba-operation/}, language = {English}, urldate = {2021-12-08} } Disrupting the Glupteba operation
Glupteba
2021-10-15Trend MicroFernando Mercês
@online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-09-20Rostelecom-SolarRostelecom-Solar
@online{rostelecomsolar:20210920:how:cfe97c4, author = {Rostelecom-Solar}, title = {{How we searched for a connection between Mēris and Glupteba, and gained control over 45 thousand MikroTik devices}}, date = {2021-09-20}, organization = {Rostelecom-Solar}, url = {https://habr.com/ru/company/solarsecurity/blog/578900/}, language = {Russian}, urldate = {2021-09-22} } How we searched for a connection between Mēris and Glupteba, and gained control over 45 thousand MikroTik devices
Glupteba
2021-09-08RiskIQJennifer Grob
@online{grob:20210908:bulletproof:902e9f2, author = {Jennifer Grob}, title = {{Bulletproof Hosting Services: Investigating Flowspec}}, date = {2021-09-08}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2a36a7d2/description}, language = {English}, urldate = {2021-09-10} } Bulletproof Hosting Services: Investigating Flowspec
Azorult Glupteba
2021-07-19BitdefenderBitdefender
@techreport{bitdefender:20210719:debugging:48353a0, author = {Bitdefender}, title = {{Debugging MosaicLoader, One Step at a Time}}, date = {2021-07-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf}, language = {English}, urldate = {2021-07-20} } Debugging MosaicLoader, One Step at a Time
AsyncRAT Glupteba
2021-06-04K7 SecurityMary Muthu Francisca
@online{francisca:20210604:glupteba:f7ec1dc, author = {Mary Muthu Francisca}, title = {{Glupteba back on track spreading via EternalBlue exploits}}, date = {2021-06-04}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22319}, language = {English}, urldate = {2021-06-21} } Glupteba back on track spreading via EternalBlue exploits
Glupteba
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2020-12-02DomainToolsJoe Slowik
@online{slowik:20201202:identifying:8ac64c3, author = {Joe Slowik}, title = {{Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign}}, date = {2020-12-02}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign}, language = {English}, urldate = {2020-12-08} } Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
Azorult Glupteba
2020-06-24Sophos LabsAndrew Brandt
@online{brandt:20200624:glupteba:fc4095d, author = {Andrew Brandt}, title = {{Glupteba malware hides in plain sight}}, date = {2020-06-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728}, language = {English}, urldate = {2020-06-24} } Glupteba malware hides in plain sight
Glupteba
2020-06-24Sophos Naked SecurityPaul Ducklin
@online{ducklin:20200624:glupteba:8f0c66a, author = {Paul Ducklin}, title = {{Glupteba - the malware that gets secret messages from the Bitcoin blockchain}}, date = {2020-06-24}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/}, language = {English}, urldate = {2020-06-26} } Glupteba - the malware that gets secret messages from the Bitcoin blockchain
Glupteba
2020-04-13Dissecting MalwareMarius Genheimer
@online{genheimer:20200413:blame:b258b2b, author = {Marius Genheimer}, title = {{The Blame Game - About False Flags and overwritten MBRs}}, date = {2020-04-13}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html}, language = {English}, urldate = {2020-04-15} } The Blame Game - About False Flags and overwritten MBRs
Glupteba MBR Locker
2020-02-07Medium CSIS TechblogBenoît Ancel
@online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2019-09-04Trend MicroJaromír Hořejší, Joseph C. Chen
@online{hoej:20190904:glupteba:230e916, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions}}, date = {2019-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/}, language = {English}, urldate = {2020-01-10} } Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
Glupteba
2018-03-22ESET ResearchFrédéric Vachon
@online{vachon:20180322:glupteba:10f0116, author = {Frédéric Vachon}, title = {{Glupteba is no longer part of Windigo}}, date = {2018-03-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/}, language = {English}, urldate = {2019-11-14} } Glupteba is no longer part of Windigo
Glupteba
2014-03-18ESET ResearchPierre-Marc Bureau
@online{bureau:20140318:operation:1b1bd17, author = {Pierre-Marc Bureau}, title = {{Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign}}, date = {2014-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/}, language = {English}, urldate = {2019-11-14} } Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign
Boaxxe Glupteba
2011-03-02ESET ResearchDavid Harley
@online{harley:20110302:tdl4:9071c3f, author = {David Harley}, title = {{TDL4 and Glupteba: Piggyback PiggyBugs}}, date = {2011-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/}, language = {English}, urldate = {2019-11-14} } TDL4 and Glupteba: Piggyback PiggyBugs
Glupteba
Yara Rules
[TLP:WHITE] win_glupteba_auto (20220516 | Detects win.glupteba.)
rule win_glupteba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.glupteba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 895dd0 89bdccfeffff 89b5c8feffff 33c9 8d85ccfeffff 3910 7408 }
            // n = 7, score = 400
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx
            //   89bdccfeffff         | mov                 dword ptr [ebp - 0x134], edi
            //   89b5c8feffff         | mov                 dword ptr [ebp - 0x138], esi
            //   33c9                 | xor                 ecx, ecx
            //   8d85ccfeffff         | lea                 eax, [ebp - 0x134]
            //   3910                 | cmp                 dword ptr [eax], edx
            //   7408                 | je                  0xa

        $sequence_1 = { 6a02 ff75f2 ff15???????? ff75f2 ff15???????? 838b????????ff ff0d???????? }
            // n = 7, score = 400
            //   6a02                 | push                2
            //   ff75f2               | push                dword ptr [ebp - 0xe]
            //   ff15????????         |                     
            //   ff75f2               | push                dword ptr [ebp - 0xe]
            //   ff15????????         |                     
            //   838b????????ff       |                     
            //   ff0d????????         |                     

        $sequence_2 = { a0???????? 3ac3 7418 53 }
            // n = 4, score = 400
            //   a0????????           |                     
            //   3ac3                 | cmp                 al, bl
            //   7418                 | je                  0x1a
            //   53                   | push                ebx

        $sequence_3 = { 33770c 8b7dc8 3375e0 ff4de8 894dd4 897dd8 8975dc }
            // n = 7, score = 400
            //   33770c               | xor                 esi, dword ptr [edi + 0xc]
            //   8b7dc8               | mov                 edi, dword ptr [ebp - 0x38]
            //   3375e0               | xor                 esi, dword ptr [ebp - 0x20]
            //   ff4de8               | dec                 dword ptr [ebp - 0x18]
            //   894dd4               | mov                 dword ptr [ebp - 0x2c], ecx
            //   897dd8               | mov                 dword ptr [ebp - 0x28], edi
            //   8975dc               | mov                 dword ptr [ebp - 0x24], esi

        $sequence_4 = { 897904 8b7b08 895304 8b5008 33fa 897908 8b7b0c }
            // n = 7, score = 400
            //   897904               | mov                 dword ptr [ecx + 4], edi
            //   8b7b08               | mov                 edi, dword ptr [ebx + 8]
            //   895304               | mov                 dword ptr [ebx + 4], edx
            //   8b5008               | mov                 edx, dword ptr [eax + 8]
            //   33fa                 | xor                 edi, edx
            //   897908               | mov                 dword ptr [ecx + 8], edi
            //   8b7b0c               | mov                 edi, dword ptr [ebx + 0xc]

        $sequence_5 = { 83c40c ff750c 66c745f00200 ff15???????? 668945f2 6a10 }
            // n = 6, score = 400
            //   83c40c               | add                 esp, 0xc
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   66c745f00200         | mov                 word ptr [ebp - 0x10], 2
            //   ff15????????         |                     
            //   668945f2             | mov                 word ptr [ebp - 0xe], ax
            //   6a10                 | push                0x10

        $sequence_6 = { 8b7f0c 33780c 0fb6d2 c1ea04 4a 894510 895dd0 }
            // n = 7, score = 400
            //   8b7f0c               | mov                 edi, dword ptr [edi + 0xc]
            //   33780c               | xor                 edi, dword ptr [eax + 0xc]
            //   0fb6d2               | movzx               edx, dl
            //   c1ea04               | shr                 edx, 4
            //   4a                   | dec                 edx
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx

        $sequence_7 = { 0f8491000000 6a06 8d45d4 50 57 }
            // n = 5, score = 400
            //   0f8491000000         | je                  0x97
            //   6a06                 | push                6
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_8 = { 00cd 3e46 005e3e 46 }
            // n = 4, score = 100
            //   00cd                 | add                 ch, cl
            //   3e46                 | inc                 esi
            //   005e3e               | add                 byte ptr [esi + 0x3e], bl
            //   46                   | inc                 esi

        $sequence_9 = { 005e3e 46 00ff 3e46 }
            // n = 4, score = 100
            //   005e3e               | add                 byte ptr [esi + 0x3e], bl
            //   46                   | inc                 esi
            //   00ff                 | add                 bh, bh
            //   3e46                 | inc                 esi

        $sequence_10 = { 00f1 3d46005e3e 46 00cd }
            // n = 4, score = 100
            //   00f1                 | add                 cl, dh
            //   3d46005e3e           | cmp                 eax, 0x3e5e0046
            //   46                   | inc                 esi
            //   00cd                 | add                 ch, cl

        $sequence_11 = { 00ff 3e46 0012 3f }
            // n = 4, score = 100
            //   00ff                 | add                 bh, bh
            //   3e46                 | inc                 esi
            //   0012                 | add                 byte ptr [edx], dl
            //   3f                   | aas                 

        $sequence_12 = { 0101 03d3 8b4620 8bcb }
            // n = 4, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   03d3                 | add                 edx, ebx
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   8bcb                 | mov                 ecx, ebx

        $sequence_13 = { 0106 830702 392e 75a0 }
            // n = 4, score = 100
            //   0106                 | add                 dword ptr [esi], eax
            //   830702               | add                 dword ptr [edi], 2
            //   392e                 | cmp                 dword ptr [esi], ebp
            //   75a0                 | jne                 0xffffffa2

        $sequence_14 = { 0012 3f 46 008bff558bec }
            // n = 4, score = 100
            //   0012                 | add                 byte ptr [edx], dl
            //   3f                   | aas                 
            //   46                   | inc                 esi
            //   008bff558bec         | add                 byte ptr [ebx - 0x1374aa01], cl

        $sequence_15 = { 0107 eb4d 8b02 89442418 }
            // n = 4, score = 100
            //   0107                 | add                 dword ptr [edi], eax
            //   eb4d                 | jmp                 0x4f
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

    condition:
        7 of them and filesize < 1417216
}
Download all Yara Rules