Malware
Cross-Platform / Modular Glupteba Malware Uses ManageX
This entry features the analysis of a variant of Glupteba, emphasising the modularity and the cross-platform features of the malware as seen through the examination of its code. Notable in this variant is the use of ManageX.
We recently encountered a variant of Glupteba (detected by Trend Micro as Trojan.Win32.GLUPTEBA.WLDR). Glupteba is a trojan type that has been involved with Operation Windigo in the past. We also reported its attacks on MikroTik routers and updates on its command and control (C&C) servers.
With regard to its behaviour, the variant shares many similarities with other Glupteba variants. Notable in this newly uncovered strain is the use of ManageX (detected by Trend Micro as Trojan.JS.MANAGEX.A), a type of modular adware that we recently analysed. This entry also aims to emphasise the modularity and the cross-platform features of Glupteba as seen through the analysis of its code.
The use of Go programming language
After unpacking the main dropper used in this attack, it has been confirmed that the malware variant is written in the open-sourced programming language Go, which is commonly referred to as Golang. Go is barely a decade old, and its use for creating malware is still quite uncommon, although it has been used in several variants of Glupteba, like the ones analysed by security researchers from Sophos and Cybereason.
The use of the Go programming language for creating malware might be attractive to some cybercriminals due to various features that the language lends to help malware get into the target systems undetected. One such feature is that it can be compiled using only one repository on a system but remain executable across different operating systems. This is advantageous to malware types aiming to have multiplatform capabilities and payloads.
Also, malware types written in Go have large file sizes. This is because the Go standard library is not well modularised; therefore, importing a single function would pull a significant code size. This can help the malware to infiltrate a system as some antivirus software might be unable to scan files that are too large. It is also difficult for researchers to analyse as large files can be tedious for static analysis.
The dropper
The main dropper in the Glupteba attack is used to establish persistence by installing the rootkit component that would inject malicious code to the svchost.exe process. This process would become the downloader of the payload. This is done because Glupteba intends to treat its payload as modules. It is also a method for hiding the malicious process by disguising it as a normal one.
The modular approach of the malware is performed by gradually dropping components onto the system. This is to avoid being detected by antivirus software.
Initial static analysis of the dropper did not uncover much, as the dropper is packed using a UPX packer. Most droppers similar to the sample were also packed to hide meaningful strings. This is common amongst packed executable files and helps in making investigation difficult for analysts.
Using a UPX unpacker shows that the sample is compiled using C++.
As aforementioned, unpacking the file indicates that the sample was written in Go programming language.
This sample cannot be completely unpacked using common tools. It is necessary to open the file in a debugger to completely see the strings that would be helpful to a malware analyst. Moreover, some antimalware tools heavily rely on readable strings in a sample to determine whether it is malicious or not. This is another reason that malware authors use packers.
The strings in the unpacked sample indicate its use of web browsers on different platforms. One payload of this Glupteba variant involves the installation of extensions for malicious advertisements. Furthermore, the installation of web browsers is not limited to Windows-based ones; rather, it also includes Linux-based, Android-based, and even IOS-based web browsers.
The malware’s code mentions DoublePulsar, a backdoor implant tool that the Shadow Brokers group leaked. It enables the execution of additional malicious code, and it is commonly delivered by the EternalBlue exploit.
The extension installer payload
The payload observed on the particular machine is an installed extension. These extensions are installed in the system by executing wcrx.exe, a file packed similarly as the dropper. This file does the following:
- Adds a browser extension named chrome_filter to a web browser installed in the machine
- Connects to hxxp://fffffk[.]xyz/down/m_inc[.]js?1589344811463 and replaces the m_inc.js file from the browser extension. This is a content script that runs for every visited page.
- Starts rundll32.exe that then queries hxxp://info[.]d3pk[.]com/js_json for a list of JSONs, which contains scripts to be injected to Internet Explorer
Upon further investigation, it is revealed that the master_preferences file on the system has malicious indications such as the chrome AppID. This file contains the settings that a user wants to apply to their computer’s Chrome browser. Installing a Chrome extension in this file is a way to add features and functionalities to the Chrome browser.
The content shows a Chrome AppID that is an Indicator of Compromise (IOC) for the ManageX chrome extension, as reported in a past entry. ManageX uses a malicious extension to the Chrome browser for tracking the users’ browser activities and communicating with C&C domains. A detailed report about ManageX can be found in our virus report.
The virus report also indicates that the infection can begin through the installation of a seemingly legitimate installer or a piece of freeware. This point of entry is similar to many other malware and is no different from the Glupteba malware that is usually spread under the guise of being a legitimate, non-malicious application.
The exploit
The other use of the dropper in an attack involves using the initial machine as a foothold from which it will scan the internal network to look for vulnerable machines. It can then launch an EternalBlue exploit to spread the dropper laterally across the network.
EternalBlue is a hacking tool developed by NSA along with other tools and exploits such as EternalSynergy, EternalRomance, and the aforementioned DarkPulsar. The cybercriminal group Shadow Brokers reportedly leaked these back in 2017. In particular, the EternalBlue exploit was used to spread WannaCry ransomware and Petya ransomware.
The EternalBlue exploit involves a group of critical vulnerabilities in Microsoft SMBv1, specifically CVE-2017-0143 to CVE-2017-0148, which are used in various systems such as Windows 7, Windows Server 2008, Windows XP, and even Windows 10 with opened or enabled port 445. These strings from the unpacked sample reveal the targeted Windows versions, port, and architecture, similar to where Microsoft SMBv1 is also used. Microsoft SMBv1 is now frequently disabled or uninstalled.
The flaws were patched immediately by Microsoft in March 2017 with the MS17-010 security update. However, many enterprises have difficulty instituting patches and thus remain vulnerable. Also, many malware authors still exploit EternalBlue for malicious activities such as cryptojacking.
Protecting systems from Glupteba malware
Malware authors use various combinations of tried-and-tested strategies and novel tactics to achieve their goal of compromising users’ systems. Enterprises can ensure the protection of their data by performing the following best practices:
- Patch and update systems, or consider a virtual patching solution.
- Only download apps from legitimate download centres and app stores.
- Enable firewalls as well as intrusion detection and prevention systems.
- Implement security mechanisms for all possible points of entry such as endpoint, email, web, and network.
Vulnerabilities can be protected through the following security solutions:
- Trend Micro™ Deep Security™ – protects user systems from a variety of threats that target vulnerabilities.
- Trend Micro™ Deep Discovery™ Inspector – monitors zero-day exploitation via custom sandboxing and an extensive array of detection techniques.
- TippingPoint® Advanced Threat Protection – offers protection from targeted attacks and advanced threats.
Trend Micro Deep Security customers are protected by the following IPS rules:
- IPS Rules 1008224, 1008225, 1008227: includes coverage for MS17-010 and some specific protection from Windows SMB remote code execution vulnerabilities.
- IPS Rules 1008327, 1008328: includes coverage for server and client suspicious SMB session as protection from the DoublePulsar payload.
Trend Micro Deep Discovery Inspector customers are protected with the following rule:
- DDI Rule 2383: CVE-2017-0144 – Remote Code Execution – SMB (Request)
Trend Micro TippingPoint customers with the following filters have updated protection:
- Filters 27433, 27711, 27935, 27928: includes coverage for MS17-010 and some specific protection from Windows SMB remote code execution vulnerabilities and attacks.
MITRE ATT&CK Techniques
Tactic |
Technique |
ID |
Description |
Execution |
Native API |
T1106 |
Used Windows application programming interface (API) to execute binaries |
Defence Evasion |
Deobfuscate/Decode Files or Information |
T1140 |
Performs deobfuscation on files or information |
Masquerading |
T1036 |
Manipulates the name or location of an executable to evade defences |
|
Virtualisation/Sandbox Evasion |
T1497 |
Cheques for presence of Virtualisation/Sandbox to avoid detection or analysis |
|
Discovery |
File and Directory Discovery |
T1083 |
Search in specific locations of a host or network share for certain information within a file system. |
Process Discovery |
T1057 |
Get information about running processes on a system |
|
Query Registry |
T1012 |
Interacts with the Windows Registry to gather information about the system, configuration, and installed software |
|
System Network Configuration Discovery |
T1016 |
Retrieves the addresses associated with the adaptors on the local computer |
|
Collection |
Data from Local System |
T1005 |
Sensitive data can be collected from local system sources |
Exfiltration
|
Exfiltration Over Alternative Protocol |
T1048 |
Data exfiltration is performed with a different protocol from the main C2C protocol or channel |
Indicators of Compromise
SHA-256 |
Trend Micro Pattern Detection |
a29da4c0ffe15f0cf1b6c9867af54280da1bad2f28515eb4a49e6260b6388f3c |
Trojan.Win32.GLUPTEBA.WLDR |