Emerging Threats

Glupteba botnet infects devices via software installers and cracks

Nihad Hassan

Jul 17, 20233 min read

Glupteba botnet infects devices via software installers or cracks (Header image)

Hackers are constantly developing new ways to attack end users’ devices to use them in large-scale cyber attacks. A recent threat discovered by Nozomi Networks Labs is a new malicious campaign of the Glupteba trojan.

What is the Glupteba trojan?

Glupteba is a backdoor trojan used to conduct malicious actions on infected devices. What makes Glupteba more dangerous than traditional malware is its dependence on the Bitcoin blockchain to distribute its Command And Control Servers (C&C). Hackers use the C&C to control the malware remotely after installing it on user devices. Glupteba’s blokchain-based C&C makes taking down the network very difficult compared to traditional botnets.

Glubteba on VirusTotal
The Glupteba trojan, as seen on VirusTotal

How does Glupteba spread?

Glupteba primarily spread via the Pay-Per Install (PPI) model, where the advertiser pays each time their application gets installed by users. Hackers misuse legitimate PPI advertisement networks to spread malicious software to unaware users.

You can also find Glupteba on untrusted websites like torrent download sites. A common method Glupteba uses to infect devices is concealing its presence in cracked software and installing it silently when the user installs the cracked application on their computer. Pirated music and video files are another major source of infection with this malware.

One more method used by hackers to infect devices with Glupteba is through exploit kits. For example, when you use an outdated application or web browser add-on, the hackers can exploit these security gaps to install the trojan.

When Glupteba gets installed on the victim’s device, it will provide backdoor access to hackers to perform various malicious actions. For example, hackers will be able to download and install additional malware, such as:

  • Ransomware to encrypt user files and demand a ransom to decrypt the files back
  • Cryptojacking code to mine cryptocurrencies on your devices without your knowledge
  • Browser extensions that display ads on the infected device, generating profits for the hackers
  • Stealer malware, such as keyloggers and spyware, which record everything you type on your keyboard with the aim of stealing account credentials and other sensitive information

Hackers have used the most recent campaign of Glupteba to launch Distributed Denial Of Service (DDoS) attacks.

How Glupteba is used to make DDoS attacks

In addition to infecting end-user computing devices, hackers use Glupteba to target internet of things (IoT) devices and use them later to launch DDoS attacks. The number of IoT devices is increasing rapidly and is estimated to reach 30.9 billion units by 2025. Non-tech savvy users don’t always possess the required security knowledge to configure their IoT to connect to the internet securely. For example, many users leave the default administrator credentials on their home routers, TV, and other home smart appliances without changing them. This allows hackers to infect these devices with Glupteba and to form a large botnet of infected devices. The Glupteba botnets can later attack a specific online service, such as Amazon’s website, and make it unresponsive for some time.

How to prevent infection with the Glupteba malware

  1. Avoid downloading unlicensed and cracked software. Hackers conceal Glupteba within software installers to infect unaware users with the malware.
  2. Keep your operating system patched with the latest security updates. Your installed applications and web browser add-ons should also remain up to date. This prevents hackers from using exploit kits to infect your computer with Glupteba.
  3. Install a reputable antimalware program and keep it current to provide a robust line of defense in case you mistakenly introduce Glupteba to your computer system.

Glupteba trojan is an emerging threat that poses a severe risk to end users. It’s important to protect your device so that it doesn’t become part of a malicious network.

Nihad Hassan Nihad Hassan
Nihad is an independent cybersecurity consultant and cyber OSINT expert, online blogger, and book author. He has been researching different areas of information security for more than 15 years.