But it also includes, as with most bots, generic commands to download and run new malware, meaning that even if you know everything about Glupteba itself, you can’t predict what it might morph into next because the crooks can update the running malware at will. Glupteba has a long list of built-in malicious commands that the crooks can trigger, including the self-explanatory update-data and upload-file commands that are detailed in the report. The most interesting feature that we learned about in the report (and we think you’ll be fascinated too) is how Glupteba uses the Bitcoin blockchain as a communication channel for receiving updated configuration information.Īs you probably know, zombies or bots aren’t much use to the crooks if they can’t call home to get their next wave of instructions. Here, the crooks get you to pay their power bills and take the cryptocoins for themselves. Cryptominers are legal if you use them with the explicit permission of the person paying the electricity bills to run the computers you’re using (and cryptomining can consume a lot of power). Along with everything else it does, Glupteba can act as a secretive management tool for two different cryptomining tools. So crooks love to attack your browser from outside, where the browser isn’t in control. Browser files often contain sensitive information such as URL history, authentication cookies, login details and even passwords that can’t be accessed by code such as JavaScript running inside the browser. Glupteba goes after local data files from four different browsers – Chrome, Firefox, Yandex and Opera – and uploads them to the crooks. This leaves the unfortunate victim looking like an attacker themselves and showing up as an apparent source of cybercriminal activity. It uses one of these attacks to open up unpatched routers to act as network proxies that the crooks can use as “jumping off” points for future attacks.
Glupteba bundles in various exploits against popular home and small business routers, using your computer as a jumping off point to attack other people. That makes it an old-school, self-spreading computer virus (or more specifically a worm) rather than just a standalone piece of malware. Glupteba uses two different variants of the ETERNALBLUE exploit to distribute itself automatically across your own network, and anyone else’s it can find by reaching out from your computer. It also looks for a laundry list of other security tools, including anti-virus software and system monitoring programs, killing them off so they can no longer search for and report anomalies. Glupteba has a module that does its best to turn Windows Defender off, and then regularly checks to make sure it hasn’t turned itself back on. However, if loaded successfully, rootkits can help cybersecurity threats lie low by keeping malware files off the radar of security tools and stopping them from showing up in security logs.
Kernel rootkits are unusual these days because they’re complex to write and often draw unnecessary attention to themselves.
Glupteba includes a variety of Windows kernel drivers that can hide the existence of specific files and processes. Glupteba is what’s known a zombie or bot (short for software robot) that can be controlled from afar by the crooks who wrote it.īut it’s more than just a remote control tool for criminals, because Glupteba also includes a range of components that let it serve as all of the following: Our experts have deconstructed a strain of malware called Glupteba that uses just about every cybercrime trick you’ve heard of, and probably several more besides. Here’s a SophosLabs technical paper that should tick all your jargon boxes!
0 kommentar(er)
