Glupteba Backdoor Trojan

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Christopher Kim

TLP: WHITE

From 20 to 26 September, Infoblox detected communications between malicious Glupteba bots and command and control (C2) servers in customer DNS traffic. This activity was identified by our Threat Insight1 (TI) security solution, which employs machine learning models to detect and block certain types of malicious behavior, in this case data exfiltration.2

Glupteba is a backdoor trojan that was first discovered in 2014.3 What sets it apart from other backdoors is its sophisticated functionality for stealthily controlling remote bots. The malware can also use modules to perform the following tasks:

  • Install a rootkit to control the bot and hide malware files and processes from the system administrator.
  • Turn off antivirus and security monitoring programs.
  • Propagate across the victim’s network using EternalBlue variant exploits.
  • Compromise unpatched ethernet routers and use them as network proxies for future attacks.
  • Steal data from local browser files.
  • Secretly run cryptominers.

In late 2019, the malware authors applied a significant update that allows Glupteba to fetch C2 information by querying Bitcoin transaction IDs hardcoded into the binary.4

Threat Insight detected 28 unique second-level domains (SLDs) in customer DNS traffic that were used for C2 communications. The domains are all inherently malicious and were registered between March and May 2020. The threat actor registered most of the domains with companies such as GoDaddy, Namecheap, or 101domain. The threat actor set all the nameservers to Cloudflare, a network provider often used by miscreants for its Dynamic DNS services.

Domain names may have been generated with a dictionary-based domain generation algorithm (DGA). Each domain name is alphanumeric and consists of two or more words. Each bot submitted hundreds of DNS requests to fully qualified domain names (FQDNs) that contained a patterned global unique identifier (GUID).

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. https://www.infoblox.com/products/threat-insight/
  2. https://www.infoblox.com/glossary/dns-tunneling/
  3. https://labs.bitdefender.com/2019/12/revisiting-glupteba-still-relevant-five-years-after-debut/
  4. https://news.sophos.com/en-us/2020/06/24/glupteba-report/

 

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×