The Glupteba botnet has been discovered to include a beforehand undocumented Unified Extensible Firmware Interface (UEFI) bootkit characteristic, including one other layer of sophistication and stealth to the malware.
“This bootkit can intervene and management the [operating system] boot course of, enabling Glupteba to cover itself and create a stealthy persistence that may be extraordinarily troublesome to detect and take away,” Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik mentioned in a Monday evaluation.
Glupteba is a fully-featured info stealer and backdoor able to facilitating illicit cryptocurrency mining and deploying proxy elements on contaminated hosts. It is also recognized to leverage the Bitcoin blockchain as a backup command-and-control (C2) system, making it resilient to takedown efforts.
Among the different features permit it to ship extra payloads, siphon credentials, and bank card knowledge, carry out advert fraud, and even exploit routers to achieve credentials and distant administrative entry.
Over the previous decade, modular malware has metamorphosed into a classy risk using elaborate multi-stage an infection chains to sidestep detection by safety options.
A November 2023 marketing campaign noticed by the cybersecurity agency entails using pay-per-install (PPI) companies comparable to Ruzki to distribute Glupteba. In September 2022, Sekoia linked Ruzki to exercise clusters, leveraging PrivateLoader as a conduit to propagate next-stage malware.
This takes the type of large-scale phishing assaults through which PrivateLoader is delivered below the guise of set up recordsdata for cracked software program, which then masses SmokeLoader that, in flip, launches RedLine Stealer and Amadey, with the latter in the end dropping Glupteba.
“Menace actors usually distribute Glupteba as a part of a posh an infection chain spreading a number of malware households on the identical time,” the researchers defined. “This an infection chain usually begins with a PrivateLoader or SmokeLoader an infection that masses different malware households, then masses Glupteba.”
In an indication that the malware is being actively maintained, Glupteba comes fitted with a UEFI bootkit by incorporating a modified model of an open-source venture known as EfiGuard, which is able to disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time.
It is price mentioning that earlier variations of the malware have been discovered to “set up a kernel driver the bot makes use of as a rootkit, and make different adjustments that weaken the safety posture of an contaminated host.”
“Glupteba malware continues to face out as a notable instance of the complexity and flexibility exhibited by fashionable cybercriminals,” the researchers mentioned.
“The identification of an undocumented UEFI bypass approach inside Glupteba underscores this malware’s capability for innovation and evasion. Moreover, with its position in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization methods employed by cybercriminals of their makes an attempt at mass infections.”