SYMBOLCOMMON_NAMEaka. SYNONYMS
win.glupteba (Back to overview)

Glupteba

Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.

References
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-06-28KrebsOnSecurityBrian Krebs
@online{krebs:20220628:link:355a5e2, author = {Brian Krebs}, title = {{The Link Between AWM Proxy & the Glupteba Botnet}}, date = {2022-06-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter}, language = {English}, urldate = {2022-08-15} } The Link Between AWM Proxy & the Glupteba Botnet
Glupteba
2022-03-23The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220323:abuse:6b8c004, author = {Ravie Lakshmanan}, title = {{abuse mikrotik router by GLUPTEBA malware}}, date = {2022-03-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html}, language = {English}, urldate = {2022-03-28} } abuse mikrotik router by GLUPTEBA malware
Glupteba Proxy Glupteba
2022-03-18AvastMartin Hron
@online{hron:20220318:mris:47b15bc, author = {Martin Hron}, title = {{Mēris and TrickBot standing on the shoulders of giants}}, date = {2022-03-18}, organization = {Avast}, url = {https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/}, language = {English}, urldate = {2022-03-23} } Mēris and TrickBot standing on the shoulders of giants
Glupteba Proxy Glupteba TrickBot
2022-01-19ChainanalysisChainalysis Team
@online{team:20220119:meet:b0e3f43, author = {Chainalysis Team}, title = {{Meet the Malware Families Helping Hackers Steal and Mine Millions in Cryptocurrency}}, date = {2022-01-19}, organization = {Chainanalysis}, url = {https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/}, language = {English}, urldate = {2022-01-24} } Meet the Malware Families Helping Hackers Steal and Mine Millions in Cryptocurrency
Glupteba RedLine Stealer
2021-12-07GoogleRoyal Hansen, Halimah DeLaine Prado
@online{hansen:20211207:new:d707355, author = {Royal Hansen and Halimah DeLaine Prado}, title = {{New action to combat cyber crime}}, date = {2021-12-07}, organization = {Google}, url = {https://blog.google/technology/safety-security/new-action-combat-cyber-crime/}, language = {English}, urldate = {2021-12-08} } New action to combat cyber crime
Glupteba
2021-12-07GoogleGoogle
@techreport{google:20211207:complaint:f4ad8d1, author = {Google}, title = {{Complaint for Damages and Injunctive Relief against DMITRY STAROVIKOV and ALEXANDER FILIPPOV}}, date = {2021-12-07}, institution = {Google}, url = {https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf}, language = {English}, urldate = {2021-12-08} } Complaint for Damages and Injunctive Relief against DMITRY STAROVIKOV and ALEXANDER FILIPPOV
Glupteba
2021-12-07GoogleShane Huntley, Luca Nagy, Google Threat Analysis Group
@online{huntley:20211207:disrupting:9fd4ab7, author = {Shane Huntley and Luca Nagy and Google Threat Analysis Group}, title = {{Disrupting the Glupteba operation}}, date = {2021-12-07}, organization = {Google}, url = {https://blog.google/threat-analysis-group/disrupting-glupteba-operation/}, language = {English}, urldate = {2021-12-08} } Disrupting the Glupteba operation
Glupteba
2021-10-15Trend MicroFernando Mercês
@online{mercs:20211015:ransomware:c944933, author = {Fernando Mercês}, title = {{Ransomware Operators Found Using New "Franchise" Business Model}}, date = {2021-10-15}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html}, language = {English}, urldate = {2021-10-24} } Ransomware Operators Found Using New "Franchise" Business Model
Glupteba IcedID Mount Locker
2021-09-20Rostelecom-SolarRostelecom-Solar
@online{rostelecomsolar:20210920:how:cfe97c4, author = {Rostelecom-Solar}, title = {{How we searched for a connection between Mēris and Glupteba, and gained control over 45 thousand MikroTik devices}}, date = {2021-09-20}, organization = {Rostelecom-Solar}, url = {https://habr.com/ru/company/solarsecurity/blog/578900/}, language = {Russian}, urldate = {2021-09-22} } How we searched for a connection between Mēris and Glupteba, and gained control over 45 thousand MikroTik devices
Glupteba
2021-09-08RiskIQJennifer Grob
@online{grob:20210908:bulletproof:902e9f2, author = {Jennifer Grob}, title = {{Bulletproof Hosting Services: Investigating Flowspec}}, date = {2021-09-08}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/2a36a7d2/description}, language = {English}, urldate = {2021-09-10} } Bulletproof Hosting Services: Investigating Flowspec
Azorult Glupteba
2021-07-19BitdefenderBitdefender
@techreport{bitdefender:20210719:debugging:48353a0, author = {Bitdefender}, title = {{Debugging MosaicLoader, One Step at a Time}}, date = {2021-07-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf}, language = {English}, urldate = {2021-07-20} } Debugging MosaicLoader, One Step at a Time
AsyncRAT Glupteba
2021-06-04K7 SecurityMary Muthu Francisca
@online{francisca:20210604:glupteba:f7ec1dc, author = {Mary Muthu Francisca}, title = {{Glupteba back on track spreading via EternalBlue exploits}}, date = {2021-06-04}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=22319}, language = {English}, urldate = {2021-06-21} } Glupteba back on track spreading via EternalBlue exploits
Glupteba
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2020-12-02DomainToolsJoe Slowik
@online{slowik:20201202:identifying:8ac64c3, author = {Joe Slowik}, title = {{Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign}}, date = {2020-12-02}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign}, language = {English}, urldate = {2020-12-08} } Identifying Network Infrastructure Related to a World Health Organization Spoofing Campaign
Azorult Glupteba
2020-06-24Sophos Naked SecurityPaul Ducklin
@online{ducklin:20200624:glupteba:8f0c66a, author = {Paul Ducklin}, title = {{Glupteba - the malware that gets secret messages from the Bitcoin blockchain}}, date = {2020-06-24}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/}, language = {English}, urldate = {2020-06-26} } Glupteba - the malware that gets secret messages from the Bitcoin blockchain
Glupteba
2020-06-24Sophos LabsAndrew Brandt
@online{brandt:20200624:glupteba:fc4095d, author = {Andrew Brandt}, title = {{Glupteba malware hides in plain sight}}, date = {2020-06-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728}, language = {English}, urldate = {2020-06-24} } Glupteba malware hides in plain sight
Glupteba
2020-04-13Dissecting MalwareMarius Genheimer
@online{genheimer:20200413:blame:b258b2b, author = {Marius Genheimer}, title = {{The Blame Game - About False Flags and overwritten MBRs}}, date = {2020-04-13}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html}, language = {English}, urldate = {2020-04-15} } The Blame Game - About False Flags and overwritten MBRs
Glupteba MBR Locker
2020-02-07Medium CSIS TechblogBenoît Ancel
@online{ancel:20200207:installcapital:23b3760, author = {Benoît Ancel}, title = {{InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime}}, date = {2020-02-07}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451}, language = {English}, urldate = {2020-02-09} } InstallCapital — When AdWare Becomes Pay-per-Install Cyber-Crime
DreamBot Glupteba
2019-09-04Trend MicroJaromír Hořejší, Joseph C. Chen
@online{hoej:20190904:glupteba:230e916, author = {Jaromír Hořejší and Joseph C. Chen}, title = {{Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions}}, date = {2019-09-04}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/}, language = {English}, urldate = {2020-01-10} } Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
Glupteba
2018-03-22ESET ResearchFrédéric Vachon
@online{vachon:20180322:glupteba:10f0116, author = {Frédéric Vachon}, title = {{Glupteba is no longer part of Windigo}}, date = {2018-03-22}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/}, language = {English}, urldate = {2019-11-14} } Glupteba is no longer part of Windigo
Glupteba
2014-03-18ESET ResearchPierre-Marc Bureau
@online{bureau:20140318:operation:1b1bd17, author = {Pierre-Marc Bureau}, title = {{Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign}}, date = {2014-03-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/}, language = {English}, urldate = {2019-11-14} } Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign
Boaxxe Glupteba
2011-03-02ESET ResearchDavid Harley
@online{harley:20110302:tdl4:9071c3f, author = {David Harley}, title = {{TDL4 and Glupteba: Piggyback PiggyBugs}}, date = {2011-03-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/}, language = {English}, urldate = {2019-11-14} } TDL4 and Glupteba: Piggyback PiggyBugs
Glupteba
Yara Rules
[TLP:WHITE] win_glupteba_auto (20221125 | Detects win.glupteba.)
rule win_glupteba_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.glupteba."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb04 8bc7 2bc6 5f 5e }
            // n = 5, score = 400
            //   eb04                 | jmp                 6
            //   8bc7                 | mov                 eax, edi
            //   2bc6                 | sub                 eax, esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_1 = { c1e708 0b7dec 33df 8b7d10 }
            // n = 4, score = 400
            //   c1e708               | shl                 edi, 8
            //   0b7dec               | or                  edi, dword ptr [ebp - 0x14]
            //   33df                 | xor                 ebx, edi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]

        $sequence_2 = { 0bca 8b55d0 c1e108 0bc8 8b4510 }
            // n = 5, score = 400
            //   0bca                 | or                  ecx, edx
            //   8b55d0               | mov                 edx, dword ptr [ebp - 0x30]
            //   c1e108               | shl                 ecx, 8
            //   0bc8                 | or                  ecx, eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_3 = { 53 ff15???????? e9???????? 56 57 6a06 5f }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   e9????????           |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a06                 | push                6
            //   5f                   | pop                 edi

        $sequence_4 = { 6a02 ff75ee ff15???????? ff75ee ff15???????? 830bff ff45fc }
            // n = 7, score = 400
            //   6a02                 | push                2
            //   ff75ee               | push                dword ptr [ebp - 0x12]
            //   ff15????????         |                     
            //   ff75ee               | push                dword ptr [ebp - 0x12]
            //   ff15????????         |                     
            //   830bff               | or                  dword ptr [ebx], 0xffffffff
            //   ff45fc               | inc                 dword ptr [ebp - 4]

        $sequence_5 = { e8???????? 83c40c 85c0 0f85b3feffff }
            // n = 4, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f85b3feffff         | jne                 0xfffffeb9

        $sequence_6 = { c1eb08 33d3 8b5dfc 33d9 c1e708 }
            // n = 5, score = 400
            //   c1eb08               | shr                 ebx, 8
            //   33d3                 | xor                 edx, ebx
            //   8b5dfc               | mov                 ebx, dword ptr [ebp - 4]
            //   33d9                 | xor                 ebx, ecx
            //   c1e708               | shl                 edi, 8

        $sequence_7 = { 8bec b804380000 e8???????? 53 }
            // n = 4, score = 400
            //   8bec                 | mov                 ebp, esp
            //   b804380000           | mov                 eax, 0x3804
            //   e8????????           |                     
            //   53                   | push                ebx

        $sequence_8 = { 005e3e 46 00ff 3e46 }
            // n = 4, score = 100
            //   005e3e               | add                 byte ptr [esi + 0x3e], bl
            //   46                   | inc                 esi
            //   00ff                 | add                 bh, bh
            //   3e46                 | inc                 esi

        $sequence_9 = { 00cd 3e46 005e3e 46 }
            // n = 4, score = 100
            //   00cd                 | add                 ch, cl
            //   3e46                 | inc                 esi
            //   005e3e               | add                 byte ptr [esi + 0x3e], bl
            //   46                   | inc                 esi

        $sequence_10 = { 0107 eb4d 8b02 89442418 }
            // n = 4, score = 100
            //   0107                 | add                 dword ptr [edi], eax
            //   eb4d                 | jmp                 0x4f
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax

        $sequence_11 = { 0012 3f 46 008bff558bec }
            // n = 4, score = 100
            //   0012                 | add                 byte ptr [edx], dl
            //   3f                   | aas                 
            //   46                   | inc                 esi
            //   008bff558bec         | add                 byte ptr [ebx - 0x1374aa01], cl

        $sequence_12 = { 00ff 3e46 0012 3f }
            // n = 4, score = 100
            //   00ff                 | add                 bh, bh
            //   3e46                 | inc                 esi
            //   0012                 | add                 byte ptr [edx], dl
            //   3f                   | aas                 

        $sequence_13 = { 0101 03d3 8b4620 8bcb }
            // n = 4, score = 100
            //   0101                 | add                 dword ptr [ecx], eax
            //   03d3                 | add                 edx, ebx
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   8bcb                 | mov                 ecx, ebx

        $sequence_14 = { 0106 830702 392e 75a0 }
            // n = 4, score = 100
            //   0106                 | add                 dword ptr [esi], eax
            //   830702               | add                 dword ptr [edi], 2
            //   392e                 | cmp                 dword ptr [esi], ebp
            //   75a0                 | jne                 0xffffffa2

        $sequence_15 = { 00f1 3d46005e3e 46 00cd }
            // n = 4, score = 100
            //   00f1                 | add                 cl, dh
            //   3d46005e3e           | cmp                 eax, 0x3e5e0046
            //   46                   | inc                 esi
            //   00cd                 | add                 ch, cl

    condition:
        7 of them and filesize < 1417216
}
Download all Yara Rules