Shulou(Shulou.com)05/31 Report--

This article will explain in detail the analysis of Grupteba malware variants for everyone. The content of the article is of high quality. Therefore, Xiaobian shares it with you for reference. I hope that after reading this article, you will have a certain understanding of relevant knowledge.

Recently, the malicious software glupteba has been found to attack the network. It's an old malware that appeared in an operation called "windigo" and spread to windows users through vulnerabilities.

In 2018, a security firm reported that Glupteba had become independent of Windigo and was moving to pay-per-install adware services. Grupteba activities have different purposes: providing proxy services, exploiting vulnerabilities for mining activities, etc.

After studying the recently discovered variants of glupteba, we discovered two undocumented components outside of the glupteba malware:

Browser-stealing programs that steal sensitive data from browsers, such as browsing history, website cookies, account names and passwords, and send information to remote servers.

Exploit CVE-2018-14847 vulnerability to attack Mikrotik router in local network. It uploads stolen administrator credentials to the server. The router will be used as a proxy relay.

In addition, we found in Glupteba that he can retrieve the latest C&C domain names from Bitcoin transactions. We explain this feature further in the next section. Attackers are still refining their malware and trying to extend their proxy network to IoT devices.

Grupteba Download Analysis

The downloaded binaries are packaged by a custom wrapper, written in the go programming language, and compiled into executable files. Configuration information is initialized first by obtaining current application information, operational information, hardware information, and some binary hard-coded information. It creates the registry key hkey_users\\software\microsoft\testapp to store all the retrieved information. The result of running the initialization function is shown below.

The sendparentprocesses function gets the machine_guid from the registry and the distribution server id and activity id from the file name, pid, and name of the parent process. It embeds the information in the post request, encrypts it with the aes password, and uploads it to the c&c server.

Then check if the process is promoted and running as a system user. If the process is not elevated, it attempts to elevate permissions using the fodhelper method. If it is not running as a system user, it will start using Run as Trusted Installer mode.

There are the following main commands:

The function mainstall checks installed antivirus programs, adds firewall rules, and adds Defender exclusions.

The mainpoll function periodically polls the c&c server for new commands. The post parameters are as follows (before aes encryption):

challenge=e94e354daf5f48ca&cloudnet_file=1&cloudnet_process=1&lcommand=0&mrt=1&pgdse=0&sb=1&sc=0&uuid=&version=145&wup_process=1&wupv=0.

Finally, the function handlecommand implements backdoor functionality.

C&C update capability

The backdoor has most of the standard features, and the malware can update its c&c server address via the blockchain via the discovery domain feature.

The discovery domain function can be run by sending a backdoor command or automatically. Discoverdomain first enumerates Bitcoin wallet servers using a public list of electricity, then attempts to query history using a hard-coded hash.

Browser Stealing Information Component

The component found in the glupteba variant is called an "update profile," which is a browser profile, cookies, and password extractor. Cookies, history and other profiles are compressed and uploaded to the information collection server. This component is also written in go, compiled to executable, and packaged with upx.

Another version of the browser stealing program is called "vc.exe." Its goal is to extract browser passwords and cookies and send the extracted data to an information-gathering server.

router attack component

Another component we found was the router attack component, which was also developed in the go language. It can look at the default gateway of the victim network and get a list of default ip gateways by invoking the wmi command "select default gateway from win32_networkadapterconfiguration where ipenabled=true."

In addition to these addresses, three default addresses have been added: 192.168.88.11, 192.168.0.1, and 192.168.1.1.

Once a component successfully connects to a device listening on port 8291, it attempts to exploit CVE-2018-14847, which affects the Routeros system used on Mikrotik routers. It allows attackers to obtain administrator credentials from unpatched routers. The retrieved account name and password are stored in the json object, encrypted, and sent to the c&c server.

After the credentials are successfully obtained, tasks are added to the router scheduler. There are three ways to add scheduler tasks: using the winbox protocol, using ssh, or using api.

router traffic relay

After the above setup, the router becomes a SOCKS proxy for the attacker to relay traffic. The first remote connection routed through the socks proxy comes from a server that may belong to an attacker. This server query returns the IP address of the current SOCKS proxy server. This query was sent repeatedly, possibly to monitor the SOCKS proxy service.

After the first check of router status, there are two types of traffic connected to different servers of the proxy. The first is spam traffic. The remote server connects to smtp of a different mail server through the socks proxy of the router. If the mail server accepts the connection, the remote server will start sending spam.

In addition to spam traffic, there is other traffic from a set of remote servers that repeatedly connect to Instagram. But the traffic sent is protected by https encryption, and it's unclear what exactly these connections are used for. It could be a password reuse attack on instagram.

safety recommendations

Malware is a widespread threat that affects users and businesses. From gateways, endpoints, networks and servers, a multi-layered approach to security is important.

Security should be a top priority when setting up a router, as most home and office devices are connected to these devices. Users and businesses can take good security measures to defend against threats. In addition, deployment tools provide additional security for home networks and devices connected to them, further strengthening defenses.

About Grupteba malware variant analysis shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.