The Glupteba botnet has been uncovered to integrate a earlier undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature, introducing yet another layer of sophistication and stealth to the malware.
“This bootkit can intervene and regulate the [operating system] boot method, enabling Glupteba to disguise alone and produce a stealthy persistence that can be particularly difficult to detect and take away,” Palo Alto Networks Device 42 scientists Lior Rochberger and Dan Yashnik said in a Monday examination.
Glupteba is a entirely-featured facts stealer and backdoor capable of facilitating illicit cryptocurrency mining and deploying proxy parts on infected hosts. It is really also recognized to leverage the Bitcoin blockchain as a backup command-and-regulate (C2) process, earning it resilient to takedown initiatives.
Some of the other capabilities allow for it to produce more payloads, siphon qualifications, and credit card data, accomplish advertisement fraud, and even exploit routers to attain qualifications and distant administrative accessibility.
Above the past ten years, modular malware has metamorphosed into a complex menace employing elaborate multi-stage an infection chains to sidestep detection by security answers.
A November 2023 marketing campaign observed by the cybersecurity agency entails the use of pay out-per-put in (PPI) solutions this kind of as Ruzki to distribute Glupteba. In September 2022, Sekoia joined Ruzki to action clusters, leveraging PrivateLoader as a conduit to propagate next-stage malware.
This requires the kind of large-scale phishing attacks in which PrivateLoader is shipped beneath the guise of set up information for cracked software, which then loads SmokeLoader that, in transform, launches RedLine Stealer and Amadey, with the latter in the end dropping Glupteba.
“Risk actors normally distribute Glupteba as section of a complex infection chain spreading a number of malware families at the identical time,” the researchers described. “This an infection chain generally starts off with a PrivateLoader or SmokeLoader an infection that loads other malware families, then hundreds Glupteba.”
In a indication that the malware is currently being actively preserved, Glupteba will come fitted with a UEFI bootkit by incorporating a modified version of an open-source venture referred to as EfiGuard, which is able of disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time.
It’s worth pointing out that former versions of the malware had been found to “put in a kernel driver the bot uses as a rootkit, and make other alterations that weaken the security posture of an contaminated host.”
“Glupteba malware continues to stand out as a noteworthy illustration of the complexity and adaptability exhibited by fashionable cybercriminals,” the researchers explained.
“The identification of an undocumented UEFI bypass procedure within Glupteba underscores this malware’s capability for innovation and evasion. Furthermore, with its function in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization methods employed by cybercriminals in their tries at mass bacterial infections.”
Identified this post attention-grabbing? Abide by us on Twitter and LinkedIn to go through extra exceptional material we put up.
Some pieces of this article are sourced from: