skip to Main Content

Cybercrime: Glupteba malware is evolving thanks to Golang

Cybercrime: Glupteba Malware Is Evolving Thanks To Golang

Cybereason: Glupteba malware is evolving thanks new variants written in Golang

Glupteba malware is evolving, expandig its TTPs from what was known previously. It has been discovered by Cybereason Nocturnus Team cyber security experts. These variants are written in Golang, an open source programming language released by Google in 2009, and combine several layers of infection with various exploits and tools to form a complete attack. This is a new trend that can be advantageous for cybercrime, as Golang can be compiled on a system using one repository only but still be executable on other operating systems. Moreover, the malicious code is outfitted with a cryptocurrency miner and a router exploit, along with root kit capabilities to hide its toolkit on the compromised host. It infects the target machine while evading detection by bundling with legitimate adware downloads and using fileless techniques to drop payload. It’s a backdoor Trojan that enables the threat actor to perform several actions on the affected Windows system.

The cyber security experts: The trojan was first spotted in 2011. Since then, the malware has been distributed through several different methods and used in multiple attacks, as Operation Windigo

Cyber security experts first spotted Glupteba in 2011 as a malicious proxy generating spam and click-fraud traffic from a compromised machine. Since then, the malware has been distributed through several different methods and used in multiple attacks, including Operation Windigo until 2018. The majority of it’s history has revolved around Operation Windigo, though over the years the malware has matured significantly to be part of its own botnet and distributed via Adware. But the cybercrime trojan has also some weaknesses. The worst is that it’s not able to evade detection and made use of techniques that contradicted each other. For example, the malware used a driver to hide files and processes, but also left payloads visible or did not delete them at all. The large number of executed tools made this attack less stealthy than it perhaps could have been.

Back To Top