by Jaromir Horejsi and Joseph C. Chen
We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wild. The activities of the actors behind Glupteba have been varied: they were suspected of providing proxy services in the underground, and were identified as using the EternalBlue exploit to move into local networks and run Monero (XMR) cryptocurrency miners.
After looking into the recent variant of the Glupteba dropper delivered from the malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware:
A browser stealer that can steal sensitive data, for example, browsing history, website cookies, and account names and passwords from browsers and send the information to a remote server.
A router exploiter that attacks MikroTik routers in local network with the CVE-2018-14847 vulnerability. It will schedule a task on the router for command and control (C&C) and upload the stolen administrator credentials to a ..
Support the originator by clicking the read the rest link below.
