Cross Platform Modular Glupteba Malware Uses ManageX

We recently encountered a variant of Glupteba (detected by Trend Micro as Trojan.Win32.GLUPTEBA.WLDR). Glupteba is a trojan type that has been involved with Operation Windigo in the past. We also reported its attacks on MikroTik routers and updates on its command and control (C&C) servers.

With regard to its behavior, the variant shares many similarities with other Glupteba variants. Notable in this newly uncovered strain is the use of ManageX (detected by Trend Micro as Trojan.JS.MANAGEX.A), a type of modular adware that we recently analyzed. This entry also aims to emphasize the modularity and the cross-platform features of Glupteba as seen through the analysis of its code.

The use of Go programming language

After unpacking the main dropper used in this attack, it has been confirmed that the malware variant is written in the open-sourced programming language Go, which is commonly referred to as Golang. Go is barely a decade old, and its use for creating malware is still quite uncommon, although it has been used in several variants of Glupteba, like the ones analyzed by security researchers from Sophos and Cybereason.

The use of the Go programming language for creating malware might be attractive to some cybercriminals due to various features that the language lends to help malware get into the target systems undetected. One such feature is that it can be compiled using only one repository on a system but remain executable across different operating systems. This is advantageous to malware types aiming to have multiplatform capabilities and payloads.

Also, malware types written in Go have large file sizes. This is because the Go standard library is not well modularized; therefore, importing a single function would pull a significant code size. This can help the malware to infiltrate a system as some antivirus software might be unable to scan files that are too large. It is also difficult for researchers to analyze as large files can be tedious for static analysis.

The dropper

The main dropper in the Glupteba attack is used to establish persistence by installing the rootkit component that would inject malicious code to the svchost.exe process. This process would become the downloader of the payload. This is done because Glupteba intends to treat its payload as modules. It is also a method for hiding the malicious process by disguising it as a normal one.

The modular approach of the malware is performed by gradually dropping components onto the system. This is to avoid being detected by antivirus software.

Initial static analysis of the dropper did not uncover much, as the dropper is packed using a UPX packer. Most droppers similar to the sample were also packed to hide meaningful strings. This is common among packed executable files and helps in making investigation difficult for analysts.

Figure 2. Indications of a packed sample

Using a UPX unpacker shows that the sample is compiled using C++.

As aforementioned, unpacking the file indicates that the sample was written in Go programming language.

Figure 4. Strings of a Golang compiled sample

This sample cannot be completely unpacked using common tools. It is necessary to open the file in a debugger to completely see the strings that would be helpful to a malware analyst. Moreover, some antimalware tools heavily rely on readable strings in a sample to determine whether it is malicious or not. This is another reason that malware authors use packers.

Figure-5-Suspicious-strings-indicating-the-adware-payload.jpg — Figure 5. Suspicious strings indicating the adware payload

The strings in the unpacked sample indicate its use of web browsers on different platforms. One payload of this Glupteba variant involves the installation of extensions for malicious advertisements. Furthermore, the installation of web browsers is not limited to Windows-based ones; rather, it also includes Linux-based, Android-based, and even IOS-based web browsers.

Figure-6-String-related-to-the-use-of-DoublePulsar-tool.jpg — Figure 6. String related to the use of DoublePulsar tool

The malware’s code mentions DoublePulsar, a backdoor implant tool that the Shadow Brokers group leaked. It enables the execution of additional malicious code, and it is commonly delivered by the EternalBlue exploit.

Figure-7.-Shellcode-injection-using-DoublePulsar-tool — Figure 7. Shellcode injection using DoublePulsar tool

The extension installer payload

The payload observed on the particular machine is an installed extension. These extensions are installed in the system by executing wcrx.exe, a file packed similarly as the dropper. This file does the following:

Adds a browser extension named chrome_filter to a web browser installed in the machine

Figure-8-Extension-installed — Figure 8. Extension installed

Connects to hxxp://fffffk[.]xyz/down/m_inc[.]js?1589344811463 and replaces the m_inc.js file from the browser extension. This is a content script that runs for every visited page.

Figure-9.-URL-of-the-JS-file — Figure 9. URL of the JS file

Figure-10-Contents-of-m_inc.js — Figure 10. Contents of m_inc.js

Starts rundll32.exe that then queries hxxp://info[.]d3pk[.]com/js_json for a list of JSONs, which contains scripts to be injected to Internet Explorer

Figure-11.-Memory-strings-of-rundll32.exe — Figure 11. Memory strings of rundll32.exe

Upon further investigation, it is revealed that the master_preferences file on the system has malicious indications such as the chrome AppID. This file contains the settings that a user wants to apply to their computer’s Chrome browser. Installing a Chrome extension in this file is a way to add features and functionalities to the Chrome browser.

Figure-12-Contents-of-master_preferences — Figure 12. Contents of master_preferences

The content shows a Chrome AppID that is an Indicator of Compromise (IOC) for the ManageX chrome extension, as reported in a past entry. ManageX uses a malicious extension to the Chrome browser for tracking the users’ browser activities and communicating with C&C domains. A detailed report about ManageX can be found in our virus report.

The virus report also indicates that the infection can begin through the installation of a seemingly legitimate installer or a piece of freeware. This point of entry is similar to many other malware and is no different from the Glupteba malware that is usually spread under the guise of being a legitimate, non-malicious application.

The exploit

The other use of the dropper in an attack involves using the initial machine as a foothold from which it will scan the internal network to look for vulnerable machines. It can then launch an EternalBlue exploit to spread the dropper laterally across the network.

EternalBlue is a hacking tool developed by NSA along with other tools and exploits such as EternalSynergy, EternalRomance, and the aforementioned DarkPulsar. The cybercriminal group Shadow Brokers reportedly leaked these back in 2017. In particular, the EternalBlue exploit was used to spread WannaCry ransomware and Petya ransomware.

The EternalBlue exploit involves a group of critical vulnerabilities in Microsoft SMBv1, specifically CVE-2017-0143 to CVE-2017-0148, which are used in various systems such as Windows 7, Windows Server 2008, Windows XP, and even Windows 10 with opened or enabled port 445. These strings from the unpacked sample reveal the targeted Windows versions, port, and architecture, similar to where Microsoft SMBv1 is also used. Microsoft SMBv1 is now frequently disabled or uninstalled.

Figure-13-Strings-from-the-unpacked-sample — Figure 13. Strings from the unpacked sample

Figure-14-Strings-from-the-unpacked-sample — Figure 14. Strings from the unpacked sample

The flaws were patched immediately by Microsoft in March 2017 with the MS17-010 security update. However, many enterprises have difficulty instituting patches and thus remain vulnerable. Also, many malware authors still exploit EternalBlue for malicious activities such as cryptojacking.

Protecting systems from Glupteba malware

Malware authors use various combinations of tried-and-tested strategies and novel tactics to achieve their goal of compromising users’ systems. Enterprises can ensure the protection of their data by performing the following best practices:

Patch and update systems, or consider a virtual patching solution.
Only download apps from legitimate download centers and app stores.
Enable firewalls as well as intrusion detection and prevention systems.
Implement security mechanisms for all possible points of entry such as endpoint, email, web, and network.

Vulnerabilities can be protected through the following security solutions:

Trend Micro™ Deep Security™ – protects user systems from a variety of threats that target vulnerabilities.
Trend Micro™ Deep Discovery™ Inspector – monitors zero-day exploitation via custom sandboxing and an extensive array of detection techniques.
TippingPoint® Advanced Threat Protection – offers protection from targeted attacks and advanced threats.

Trend Micro Deep Security customers are protected by the following IPS rules:

IPS Rules 1008224, 1008225, 1008227: includes coverage for MS17-010 and some specific protection from Windows SMB remote code execution vulnerabilities.
IPS Rules 1008327, 1008328: includes coverage for server and client suspicious SMB session as protection from the DoublePulsar payload.

Trend Micro Deep Discovery Inspector customers are protected with the following rule:

DDI Rule 2383: CVE-2017-0144 – Remote Code Execution – SMB (Request)

Trend Micro TippingPoint customers with the following filters have updated protection:

Filters 27433, 27711, 27935, 27928: includes coverage for MS17-010 and some specific protection from Windows SMB remote code execution vulnerabilities and attacks.

MITRE ATT&CK Techniques

Tactic	Technique	ID	Description
Execution	Native API	T1106	Used Windows application programming interface (API) to execute binaries
Defense Evasion	Deobfuscate/Decode Files or Information	T1140	Performs deobfuscation on files or information
	Masquerading	T1036	Manipulates the name or location of an executable to evade defenses
	Virtualization/Sandbox Evasion	T1497	Checks for presence of Virtualization/Sandbox to avoid detection or analysis
Discovery	File and Directory Discovery	T1083	Search in specific locations of a host or network share for certain information within a file system.
	Process Discovery	T1057	Get information about running processes on a system
	Query Registry	T1012	Interacts with the Windows Registry to gather information about the system, configuration, and installed software
	System Network Configuration Discovery	T1016	Retrieves the addresses associated with the adapters on the local computer
Collection	Data from Local System	T1005	Sensitive data can be collected from local system sources
Exfiltration	Exfiltration Over Alternative Protocol	T1048	Data exfiltration is performed with a different protocol from the main C2C protocol or channel

Indicators of Compromise

SHA-256	Trend Micro Pattern Detection
a29da4c0ffe15f0cf1b6c9867af54280da1bad2f28515eb4a49e6260b6388f3c	Trojan.Win32.GLUPTEBA.WLDR

Cross-Platform / Modular Glupteba Malware Uses ManageX

Authors

Resources

Support

About Trend

Resources

Support

About Trend

The Americas

Middle East & Africa

Europe

Asia & Pacific