Also known as: Trojan.Win32.Glupteba, Win32/Glupteba, Backdoor.Glupteba,PUA:Win32/Glupteba, W32/Glupteba
Platform: Windows, Linux
Variants: Win32/Glupteba!ml, TROJ_GLUPTEBA.[various letters], BKDR_GLUPTEBA.[various letters], Trojan.Win32.GLUPTEBA.[various letters]
Damage potential: botnet formation, cryptomining, leaked credentials, system performance issues, unauthorized access, data theft, installation of undesirable software, network connectivity problems, malware infection, file corruption and loss, stolen keystrokes, system performance issues, network connectivity problems, browser interference.
Glupteba is a notorious modular trojan known for its evolving nature and stealth. It’s distributed through various means, such as exploit kits, and has the ability to adapt to changing environments. For example, it can download and install new modules that help keep it safe.
While Glupteba can function as a backdoor granting unauthorized access to infected systems, it can also serve as a RAT (remote access trojan), facilitating deeper intrusion and data theft. Also, some of its variants have been used for cryptojacking, using devices it infiltrates to mine cryptocurrency.
Glupteba malware has a bag of tricks to evade detection. For example, it tries to place itself deep into the system to ensure it remains in the system even after a reboot. It can also download newer versions of itself as well as additional modules. As a result, you may notice spikes in traffic and other unusual behavior.
Other Glupteba symptoms include:
- System performance issues. You may notice your computer slow down, especially when Glupteba is used for cryptojacking.
- Unauthorized network traffic. Glupteba is sometimes used for C&C communication, so check for unusual network traffic or unfamiliar IP addresses.
- Unexpected system behavior. Check for unfamiliar processes running in the task manager and changes in system settings.
- Decreased security. Glupteba disables your antivirus software and other security features.
- Browser anomalies. In some cases, Glupteba may change your browser settings, set a new home page, or redirect your requests to other sites.
Sources of the infection
Malicious actors often spread Glupteba using exploit kits and software packages designed to identify vulnerabilities in a system and exploit them to install malicious programs. Glupteba has also been recorded to be disguised as a software updater and spread through malvertising and pirated commercial software.
Because Glupteba is spread via exploiting system vulnerabilities, your best bet in avoiding it is by ensuring that your system is always up to date.
Additionally, you can protect yourself against Glupteba by:
Keeping your antivirus, firewall, and anti-malware software up to date.
Blocking pop-ups and scripts by using browser extensions.
Disabling unnecessary extensions because they can be used as potential points of entry for exploit kits.
Avoid clicking on links you’re not completely sure about.
Enable NordVPN’s Threat Protection, which scans files for malware before they’re downloaded to your device.
While it uses various evasion techniques, cybersecurity researchers have known about Glupteba for several years now. If your antivirus is updated, it should handle the removal without the need of downloading specialized software. However, antiviruses are not foolproof, so make sure to stay alert.