General explanation

Type: Trojan

Degree of destruction: high

Prevalence: average

Names of the malware:

  • Trojan.Win32.Glupteba.a (Padvish)
  • Trojan:Win32/Glupteba.NT!MTB (Microsoft)
  • Win32/Kryptik.HIJO (ESET-NOD32)
  • TR/AD.SmokeLoader.vwvta (Avira)

What is a Trojan?

Trojans are malware types that introduced themselves as healthy and legal software and acted similar to helpful and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching to an email, etc. are ways that trojans using to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.

What is Glupteba malware?

Glupteba malware is a Trojan that can control the victim’s system by injecting the malicious codes in the Windows Explorer.exe, and by connecting to Command and Control server, it will download and execute its new versions and also other malware such as Ransomware and worms. This malware will detect the environment and malware analysis tool when executing it, and if it runs in the VM it will close its process without infecting the system.

Technical explanation

Signs of infection 

  • Execution files with no extensions and with random names in the %AppData% path
  • ScheduledTask for existing execution file in the %AppData% path
  • So many malicious execution files in the %Temp% path
  • Connecting with the suspicious network by Explorer.exe and download and executing other malware

Explaining the action 

After execution, the malware will inject its malicious codes into the Explorer.exe process. Then, it will create a copy of its file with a random name and with no extension (with technical and systematic specification) in the %AppData% path and it will remove its initial file from the path it is running on. Glupteba malware leads to download and executes its new samples along with samples from other Ransomware and malware. Also, it permanently analyzes the executing processes of the system and prevents executing the current malware analysis tool such as Sysinternals tools.

The permanence of the malware

By creating a ScheduledTask and adjusting the created file path in the %AppData%, at each time the malware leads to running when the system starts and in a defined schedule.

How to deal with it and disinfect the system

Padvish Antivirus will detect and disinfect this malware. To prevent infection to this malware it is recommended to avoid clicking on suspicious links and scan attached files before execution. Also, keep your OS and antivirus up to date.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>