Cybereason’s Nocturnus Research Team Identifies New Glupteba Trojan Variants

Share Article

The pervasive Glupteba trojan has been discovered by Cybereason's researchers proliferating throughout parts of Asia. New research from the company provides details on the advanced techniques being used by adversaries to carry out attacks.

Cybereason, creators of the leading Cyber Defense Platform, today announced that its Nocturnus researchers spent many months identifying numerous new variants of the popular Glupteba trojan. Glupteba uses advanced techniques, including living-off-the-land, to gain access and persistence. The malware authors have rewritten Glupteba in Go, a relatively new language for malware authors, to increase its reach.

The team’s research found Glupteba making use of an extensive arsenal, including a cryptocurrency miner. Glupteba is prevalent in nearly 200 countries. This particular campaign is targeting businesses across Asia.

“Glupteba has been around for many years, but is still being actively developed and improved. Based on the variety of tools and techniques Cybereason observed, it is clear that threat actors have put in substantial efforts improving the malware. It implements a cryptocurrency miner and uses advanced techniques and lives-off-the-land. At the same time, the malware was not able to evade detection and made use of techniques that contradicted each other. For example, the malware used a driver to hide files and processes, but also left payloads visible or did not delete them at all. The large number of executed tools made this attack less stealthy than it perhaps could have been,” said Vlad Ogranovich, Director of Professional Services, Cybereason

Key Takeaways:

  • The Cybereason Nocturnus team identified multiple variants of Glupteba that made use of an extensive arsenal, including cryptocurrency miners and modules that target MikroTik routers.
  • This research is a deep technical dive into each step of the attack sequence, with specifics on how the malware drops the payload, escalates privileges, establishes persistence, installs, communicates with the C2 server, and propagates across the network through a router vulnerability. In addition, researchers outline how Glupteba used multiple evasive methods to avoid detection, including bundling with legitimate adware to infect the target machine and downloading the main payload with the living-off-the-land technique.
  • As with previous variants, Glupteba uses a rootkit to conceal its behavior and arsenal of tools.
  • This attack leverages the EternalBlue exploit to propagate across machines on the network.

Glupteba Remediation Recommendations:

  • Remove administrative rights from end users to prevent them from installing unauthorized applications and toolbars.
  • Implement and reinforce strong security awareness training across departments.

About Cybereason
Cybereason, creators of the leading Cyber Defense Platform, gives the advantage back to the defender through a completely new approach to cybersecurity. Cybereason offers endpoint prevention, detection and response and active monitoring. The solution delivers multi-layered endpoint prevention by leveraging signature and signatureless techniques to prevent known and unknown threats in conjunction with behavioral and deception techniques to prevent ransomware and fileless attacks. Cybereason is privately held and is headquartered in Boston, with offices in London, Sydney, Tel Aviv, Tokyo, Asia-Pacific and continental Europe.

Learn more:
Follow us: Blog | Twitter | Facebook

Media Contact:
Bill Keeler
Senior Director, Global Public Relations
(929) 259-3261

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Bill Keeler
Visit website