1 min read

Revisiting Glupteba: Still Relevant Five Years after Debut

Bogdan BOTEZATU

December 16, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Revisiting Glupteba: Still Relevant Five Years after Debut

In the fast-paced world of cybersecurity, malware normally gets a brief period in the spotlight before it falls into oblivion. This is not the case with Glupteba, a backdoor first spotted in 2014 that has undergone major changes to stay relevant.

At the end of 2018, our Advanced Threat Control team observed a considerable wave of detections on a process called ‘app.exe’ and started looking into it. We traced this process to the original Glupteba malware. The increasing number of such detections throughout the year suggests an extensive campaign focused on enterprise customers.

The current version of Gluteba comes with backdoor, data exfiltration, crypto-currency mining and browser information theft capabilities.

Old dog, new tricks

Known malware can easily be detected: security solutions can detect samples and threat intelligence feeds already list indicators of compromise to aid investigation.  Glupteba, however, stays on the cutting edge of evasion with several new tricks, including:

  • packing,  to generate lots of different hashes for the same code and evade static analysis
  • specific command line triggers, to prevent execution in an automated sandboxed environment
  • living-off-the-land      techniques for downloading updates and maintaining persistence
  • creating copies of itself with names that resemble critical system processes
  • impersonating various process trees to trick an observer into thinking it’s a benign  process

A complete analysis of the  Glupteba malware and geographic distribution is available in a research paper available for download below. An up-to-date list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

tags


Author



Right now

Top posts

A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read
New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read