Glupteba
Glupteba is a botnet Trojan that can download other threats onto your PC and connect to an attacker-controlled server. Current versions of Glupteba include significant support for cryptocurrency-related activities, such as mining, collecting information and compromising the victim's router hardware. Have anti-malware products remove Glupteba as they detect it and, if appropriate, reset any infected routers to factory condition.
The Trojan that Starts on Your PC before Sneaking on Your Router
Old and previously-analyzed Trojans can, often, hand out new reasons for giving them second looks. The 'look frequently and closely' rule of thumb is one that botnet-based Trojan businesses tend to reinforce, due to being capable of updating themselves and expanding drastically – or even narrowing – their payload's niches. Glupteba, for example, is a well-known threat that's just begun adding routers to its hit list.
Glupteba is a mostly-standard, Windows backdoor Trojan with botnet proxy features. Its threat actor may loan or sell its threat-installing services to others, or maintain personal control over it. It can download and execute files, update itself, and conduct some forms of espionage like enumerating memory processes and grabbing screenshots. Malware experts also emphasize Glupteba's built-in support for running Monero cryptocurrency-mining modules like XMRig.
Some newer changes to Glupteba's behavior include dropping spyware that collects browser credentials, such as passwords, and abusing a router exploitation tool. The latter is interesting for giving Glupteba's botnet a new platform for its expansion and targets MikroTik brand devices especially. It uses CVE-2018-14847, a patchable vulnerability that lets attackers connect to Winbox ports. Routers compromised by Glupteba currently are facilitating pharmaceutical spam campaigns and contacting the Instagram photo-sharing application for indeterminate reasons.
Dodging Advertisements for Trojans
Glupteba's operators are using malvertising, AKA corrupted advertisements, for circulating their threat. Prior attacks also are noted for their use of Exploit Kits – browser-based threats that scan your PC for vulnerabilities amenable for achieving drive-by-download attacks. Some appropriate security precautions that the users can implement for their system's protection include:
- Check your MikroTik router for having the April 23, 2018 security patch for its port vulnerability.
- Disable Web browser features, such as Flash and Java, that could lead to threat-installing attacks.
- Avoid download requests from suspicious sources, such as advertisements that claim that they're serving software updates.
Anti-malware solutions with browser-monitoring features should block the majority of such attacks, blacklist known, unsafe domains, or remove Glupteba as it's needed. Users also should reset any infected routers to their default, factory settings according to the manufacturer's recommendations.
Although Glupteba's goals are pedestrian, the bulk of its creativity lies in its expansion efforts. The jump from personal computers to the Internet of Things (or IoT) is a big one and should beckon readers into asking what may come next for this botnet business.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.