Anti-Malware Research Whitepapers

Revisiting Glupteba: Still Relevant Five Years after Debut

In the fast-paced world of cybersecurity, malware normally gets a brief period in the spotlight before it falls into oblivion. This is not the case with Glupteba, a backdoor first spotted in 2014 that has undergone major changes to stay relevant.

At the end of 2018, our Advanced Threat Control team observed a considerable wave of detections on a process called ‘app.exe’ and started looking into it. We traced this process to the original Glupteba malware. The increasing number of such detections throughout the year suggests an extensive campaign focused on enterprise customers.

The current version of Gluteba comes with backdoor, data exfiltration, crypto-currency mining and browser information theft capabilities.

Old dog, new tricks

Known malware can easily be detected: security solutions can detect samples and threat intelligence feeds already list indicators of compromise to aid investigation. Glupteba, however, stays on the cutting edge of evasion with several new tricks, including:

  • packing, to generate lots of different hashes for the same code and evade static analysis
  • specific command line triggers, to prevent execution in an automated sandboxed environment
  • living-off-the-land techniques for downloading updates and maintaining persistence
  • creating copies of itself with names that resemble critical system processes
  • impersonating various process trees to trick an observer into thinking it’s a benign process

A complete analysis of the Glupteba malware and geographic distribution is available in a research paper available for download below. An up-to-date list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

About the author

Avatar

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

About the author

Janos Gergo SZELES

Janos Gergo SZELES

János Gergő Széles is a senior software engineer at Bitdefender. Passionate about malware behaviour analysis, he is continuously looking for new tricks employed by malicious actors. When not glued to the computer, he likes to spend time in nature and to take care of his bonsai. He believes that with perseverance, even the most challenging riddles can be solved.