BLACKHOLE EXPLOIT KIT SERVING GLUPTEBA TROJAN IN THE WILD
The Dell SonicWall Threats Research team has observed incidents of a new variant of Glupteba Trojan being delivered by Blackhole Exploit kits in the wild. The Glupteba malware family is known to generate revenue for cyber criminals by using a BlackHat SEO poisoning technique to push contextual advertisements onto infected machines and generating hits by click-jacking the end-user. The Trojan is a UPX packed NSIS installer executable and arrives via drive-by download from a malicious exploit site.
Upon execution, the Trojan drops a copy of itself at multiple locations:
· %AppData%\NVIDIA Corporation\Update\daemonupd.exe
· %Start Menu%\Programs\Startup\winupdate.lnk [shortcut to ensure file runs on system reboot]
The Trojan adds the following registry entries to ensure that it runs on system reboot:
· HKCU\USERID\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdService: "%AppData%\NVIDIA Corporation\Update\daemonupd.exe /app (MD5HASH)"
· HKCU\USERID\Software\Microsoft\Windows\CurrentVersion\Run\Google Update: "%AppData%\Google\Update\gupdate.exe /app (MD5HASH)"
It then runs the dropped copy daemonupd.exe with arguments /app (MD5HASH) before terminating itself, thus beginning the post-infection cycle.
The daemonupd.exe attempts to resolve the following domains in order to establish connection with the Command and Control server:
The Trojan issues DNS queries every 5 seconds and %s is a random number from 1 to 30. Below is an example of the DNS queries seen from an infected system:
The first stage of the post infection cycle involves establishing a connection with the Command and Control server and waiting for commands as shown below:
Once the Trojan receives a session command, it will connect to the Command and Control server and receive additional instructions/data which are encrypted. It acts as a proxy in performing BlackHat SEO poisoning, click-fraud activity and relaying the results back to the server in encrypted form.
The samples that were analyzed for this alert were installed using a drive-by download via Blackhole Exploit Kit. Both these samples are hosted on the same server located in Russia (Screenshot courtesy DomainTools.com) and has been flagged multiple times by the Dell SonicWALL Gateway AV for serving malicious executables.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
· GAV: Glupteba.AC (Trojan)
· GAV: Glupteba.AC_2 (Trojan)
· GAV: Blacole.gen (Exploit)