Glupteba Botnet Evades Detection with Undocumented UEFI Bootkit

Feb 13, 2024NewsroomCryptocurrency / Rootkit

The Glupteba botnet has been discovered to include a beforehand undocumented Unified Extensible Firmware Interface (UEFI) bootkit characteristic, including one other layer of sophistication and stealth to the malware.

“This bootkit can intervene and management the [operating system] boot course of, enabling Glupteba to cover itself and create a stealthy persistence that may be extraordinarily tough to detect and take away,” Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik mentioned in a Monday evaluation.

Glupteba is a fully-featured data stealer and backdoor able to facilitating illicit cryptocurrency mining and deploying proxy elements on contaminated hosts. It is also identified to leverage the Bitcoin blockchain as a backup command-and-control (C2) system, making it resilient to takedown efforts.

A number of the different features enable it to ship extra payloads, siphon credentials, and bank card information, carry out advert fraud, and even exploit routers to realize credentials and distant administrative entry.

Over the previous decade, modular malware has metamorphosed into a complicated menace using elaborate multi-stage an infection chains to sidestep detection by safety options.

A November 2023 marketing campaign noticed by the cybersecurity agency entails using pay-per-install (PPI) providers similar to Ruzki to distribute Glupteba. In September 2022, Sekoia linked Ruzki to exercise clusters, leveraging PrivateLoader as a conduit to propagate next-stage malware.

This takes the type of large-scale phishing assaults during which PrivateLoader is delivered below the guise of set up information for cracked software program, which then masses SmokeLoader that, in flip, launches RedLine Stealer and Amadey, with the latter in the end dropping Glupteba.

“Risk actors usually distribute Glupteba as a part of a fancy an infection chain spreading a number of malware households on the identical time,” the researchers defined. “This an infection chain usually begins with a PrivateLoader or SmokeLoader an infection that masses different malware households, then masses Glupteba.”

In an indication that the malware is being actively maintained, Glupteba comes fitted with a UEFI bootkit by incorporating a modified model of an open-source mission known as EfiGuard, which is able to disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time.

It is price mentioning that earlier variations of the malware had been discovered to “set up a kernel driver the bot makes use of as a rootkit, and make different adjustments that weaken the safety posture of an contaminated host.”

“Glupteba malware continues to face out as a notable instance of the complexity and adaptableness exhibited by fashionable cybercriminals,” the researchers mentioned.

“The identification of an undocumented UEFI bypass method inside Glupteba underscores this malware’s capability for innovation and evasion. Moreover, with its function in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization methods employed by cybercriminals of their makes an attempt at mass infections.”