Trojan Glupteba
Original Issue Date:-
May 05, 2018
Virus Type:-
Trojan
Severity:-
High
Several variants of Trojan Glupteba with updated functionalities are reported. This Trojan arrives on a system as a file dropped by other malware or by exploit kits when users are being unknowingly routed to malicious sites. Generally the malware installs itself as a service and enable persistent mechanisms on the victim machine posing as updation legit software. The malware communicates to hardcoded IP addresses and ports.
The IP list may contain legit / compromised resources as well.
Sample communication:
Fig 1. Representation of sample communication
Generated traffic towards:
Domains
- ostdownload.xyz
- travelsreview.wo rld
- bigdesign.website
- sportpics.xyz
- kinosport.top
- 0ev.ru
- 0df.ru
- 0d2.ru
- 0d9.ru
IP address
- 109[.]104.94.2:11754
- 172[.]245.29.128:45297
- 174[.]34.232.88:49649
- 184[.]154.128.82:31973
- 192[.]184.35.170:52112
- 212[.]48.66.150:22357
- 41[.]77.118.74:57136
- 50[.]116.54.156:46956
- 65[.]60.11.122:49021
- 70[.]32.107.132:19796
- 72[.]13.32.43:29755
- 82[.]98.104.7:30871
- 87[.]98.188.159:15206
- 5[.]101.6.132
- 5[.]79.87.139
- 5[.]79.87.153
- 5[.]8.10.194
- 37[.]48.81.151
- 46[.]165.244.129
- 46[.]165.249.167
- 46[.]165.249.195
- 46[.]165.249.201
- 46[.]165.249.203
- 46[.]165.250.25
- 78[.]31.67.205
- 78[.]31.67.206
- 80[.]93.90.27
- 80[.]93.90.32
- 80[.]93.90.69
- 80[.]93.90.72
- 80[.]93.90.78
- 80[.]93.90.84
- 81[.]30.152.25
- 85[.]114.135.113
- 85[.]114.141.81
- 89[.]163.206.137
- 89[.]163.206.174
- 89[.]163.212.9
- 91[.]121.65.98
- 91[.]216.93.126
- 91[.]216.93.20
- 109[.]238.10.78
- 178[.]162.193.193
- 178[.]162.193.195
- 178[.]162.193.66
- 178[.]162.193.86
- 193[.]111.140.238
- 193[.]111.141.213
- 212[.]92.100.114
- 212[.]92.100.115
- 213[.]202.254.161
- 213[.]5.70.9
- 217[.]79.189.227
File system
- 623F4A6CD5947CA0016D3E33A07EB72E8C176BA cloudnet.exe
- ED310E5B9F582B4C6389F7AB9EED17D89497F277 cloudnet.exe
- F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D setup.exe
- 70F2763772FD1A1A54ED9EA88A2BCFDB184BCB91 cloudnet.e xe
- 87AD7E248DADC2FBE00D8441E58E64591D9E3CBE cloudnet.exe
- 1645AD8468A2FB54763C0EBEB766DFD8C643F3DB csrss.exe
- 09708c49ffb1556c9b80b3a2dc1f57fe
- %UserProfile%\Local Settings\Applica tion Data\NVIDIA Corporation\Updates\NvdUpd.exe
- %UserProfile%\Local Settings\Application Data\NVIDIA Corporation\Updates\NvdUpd.exe .bak
- HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\nvUpdSrv\"value" = "[GENERIC N UMBER]"
- HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\nvUpdSrv\"GUID" = "[GENERIC GUID]"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"NvUpdSrv" =
- "%UserProfile%\Local Settings\Application Data\NVIDIA Corporation\Updates\NvdUpd.exe
- Global\MD7H82HHF7EH2D73 [Mutex]
Recommendations:
- CERT-IN recommends monitoring activity to the IP(s) / Domains as a potential indicator of infection.
- Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
- Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the
latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and
transcription enabled. Send the associated logs to a centralized log repository for monitoring and
analysis.
Reference: https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html. - Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails,attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution. Note: A lot of malicious domains are using TLDs of (.PW, .TOP, .ME) and DYNDNS domains. Monitor connections to such domains Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints..
References: