Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions (Sep 4, 2019)
Threat actors are distributing the “Glupteba” trojan via malvertisements as a pay-per-install adware service in the wild, according to Trend Micro researchers. The actors behind Glupteba conduct various malicious activities such as providing proxy services and using the EternalBlue exploit to propagate through networks to mine Monero cryptocurrency. The Glupteba variant analyzed in this campaign downloads two other components that have the following capabilities: a browser stealer to steal data such as account names and passwords, browsing history, and website cookies, as well as a MikroTik router attack exploiting the CVE-2019-1487 vulnerability. The Glupteba dropper was also found to have the ability to retrieve Command and Control (C2) domains from Bitcoin transactions.
Recommendation: Glupteba was previously believed to have been connected to a campaign called “Operation Windigo” in which it was distributed through exploit kits targeting Windows users in 2018. Currently it appears that the actors operating Glupteba are in the process of testing out their malware for the purposes of improving it in the near future. It is paramount that any internet-connected device is viewed as a potential security liability, to both companies and individuals.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.