GUP Proxy Tool

Description

(Proofpoint) The GUP command and control proxy tool may impersonate the name of a piece of legitimate opensource software available at wingup[.]org, which is used by Notepad++. In historic campaigns by APT adversaries, legitimate GUP.exe versions were utilized that were digitally signed by Notepad++. In this campaign, files appeared to impersonate the GUP.exe file name rather than being a legitimate signed binary. The function of this tool is to set up a TCP listener on a localhost, receive encoded data via requests from the SodomNormal localhost module, and to forward this data to the command and control IP via HTTP. The GUP Proxy Tool has a hardcoded configuration which is included as both strings and integers.

Names

Name
GUP Proxy Tool

Type

Backdoor

Information

https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy

Other Information

Uuid

bbb65fa6-b7ba-4d24-9b9d-5e189dcba544

Last Card Change

2021-04-24

Threat Intelligence Garden

Explorer

GUP Proxy Tool

GUP Proxy Tool

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks