Author: Christopher Kim
From 20 to 26 September, Infoblox detected communications between malicious Glupteba bots and command and control (C2) servers in customer DNS traffic. This activity was identified by our Threat Insight1 (TI) security solution, which employs machine learning models to detect and block certain types of malicious behavior, in this case data exfiltration.2
Glupteba is a backdoor trojan that was first discovered in 2014.3 What sets it apart from other backdoors is its sophisticated functionality for stealthily controlling remote bots. The malware can also use modules to perform the following tasks:
- Install a rootkit to control the bot and hide malware files and processes from the system administrator.
- Turn off antivirus and security monitoring programs.
- Propagate across the victim’s network using EternalBlue variant exploits.
- Compromise unpatched ethernet routers and use them as network proxies for future attacks.
- Steal data from local browser files.
- Secretly run cryptominers.
In late 2019, the malware authors applied a significant update that allows Glupteba to fetch C2 information by querying Bitcoin transaction IDs hardcoded into the binary.4
Threat Insight detected 28 unique second-level domains (SLDs) in customer DNS traffic that were used for C2 communications. The domains are all inherently malicious and were registered between March and May 2020. The threat actor registered most of the domains with companies such as GoDaddy, Namecheap, or 101domain. The threat actor set all the nameservers to Cloudflare, a network provider often used by miscreants for its Dynamic DNS services.
Domain names may have been generated with a dictionary-based domain generation algorithm (DGA). Each domain name is alphanumeric and consists of two or more words. Each bot submitted hundreds of DNS requests to fully qualified domain names (FQDNs) that contained a patterned global unique identifier (GUID).
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.