For an attacker, using a known piece of malware carries both advantages and disadvantages. While security researchers know exactly what infection patterns to look for, old malware can still go unnoticed if it’s not trending or if it uses new tricks to avoid detection. Glupteba does both.
Glupteba is a backdoor first spotted in 2014, so it’s by no means a new development. However, at the end of 2018, Bitdefender’s Advanced Threat Control (ATC) team observed a surge in detections on the process name ‚app.exe‘, and started actively looking into it. Bitdefender researchers traced the process to the original Glupteba malware. They found a substantial increase in targeted attacks in business environments using the infamous Trojan, suggesting an extensive campaign with a renewed focus on enterprise customers.
While researchers typically are already familiar with the actions and indicators of compromise of an old piece of malware, attackers know to use a variety of tricks to keep their cyber-weapon on the cutting edge of detection evasion. In the case of Glupteba, such techniques include:
● packing, to generate many different hashes for the same code and evade static analysis
● specific command line triggers, to prevent execution in an automated sandboxed environment
● living-off-the-land techniques for downloading updates and maintaining persistence
● creating copies of itself with names that resemble critical system processes
● mimicking various process trees to trick an observer into thinking it’s a benign process
Glupteba operators achieve persistence on the target system via scheduled tasks and regular updates saved under various process names. They can exfiltrate data and add the infected machine to a botnet, as well as execute remote processes for cryptocurrency mining and browser information theft. The malware can also steal browser data like history, cookies and even passwords.
Bitdefender has published a technical paper – Old dog with new tricks. A study on the resurfacing of the Glupteba malware – revealing the nuts and bolts of Glupteba and describing how our technologies catch the malware before it can wreak havoc. The paper includes several graphs showing the malware’s evolution by month, detection distribution by geographical region, and more. Of note, Glupteba operators have an apparent affinity for the Asian market, with the highest number of detections recorded in countries including Thailand, India and Vietnam.
Bitdefender GravityZone protects enterprise customers against stealthy, advanced attacks leveraging both old and new malware and is designed to address the entire threat lifecycle with advanced protection, detection, response and risk analytics.