The Glupteba botnet has been observed to incorporate a earlier undocumented Unified Extensible Firmware Interface (UEFI) bootkit aspect, adding another layer of sophistication and stealth to the malware.
“This bootkit can intervene and handle the [operating system] boot course of action, enabling Glupteba to cover alone and generate a stealthy persistence that can be extremely complicated to detect and take out,” Palo Alto Networks Device 42 scientists Lior Rochberger and Dan Yashnik stated in a Monday assessment.
Glupteba is a fully-highlighted information stealer and backdoor able of facilitating illicit cryptocurrency mining and deploying proxy components on contaminated hosts. It is also acknowledged to leverage the Bitcoin blockchain as a backup command-and-handle (C2) system, building it resilient to takedown initiatives.
Some of the other features allow it to deliver additional payloads, siphon credentials, and credit score card data, execute advert fraud, and even exploit routers to gain qualifications and remote administrative obtain.
Around the past decade, modular malware has metamorphosed into a sophisticated menace utilizing elaborate multi-stage an infection chains to sidestep detection by security methods.
A November 2023 marketing campaign noticed by the cybersecurity firm involves the use of pay-per-put in (PPI) providers such as Ruzki to distribute Glupteba. In September 2022, Sekoia connected Ruzki to action clusters, leveraging PrivateLoader as a conduit to propagate future-stage malware.
This takes the sort of large-scale phishing assaults in which PrivateLoader is sent under the guise of set up documents for cracked computer software, which then masses SmokeLoader that, in flip, launches RedLine Stealer and Amadey, with the latter ultimately dropping Glupteba.
“Threat actors generally distribute Glupteba as section of a intricate infection chain spreading various malware households at the exact time,” the researchers explained. “This an infection chain often starts with a PrivateLoader or SmokeLoader an infection that hundreds other malware families, then loads Glupteba.”
In a indication that the malware is currently being actively preserved, Glupteba arrives equipped with a UEFI bootkit by incorporating a modified variation of an open up-supply job termed EfiGuard, which is capable of disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time.
It’s value pointing out that earlier versions of the malware were uncovered to “set up a kernel driver the bot employs as a rootkit, and make other adjustments that weaken the security posture of an contaminated host.”
“Glupteba malware carries on to stand out as a noteworthy illustration of the complexity and adaptability exhibited by contemporary cybercriminals,” the researchers reported.
“The identification of an undocumented UEFI bypass procedure inside Glupteba underscores this malware’s potential for innovation and evasion. Also, with its job in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization procedures employed by cybercriminals in their makes an attempt at mass bacterial infections.”
Observed this article fascinating? Observe us on Twitter and LinkedIn to examine additional special content material we write-up.
Some parts of this article are sourced from:
thehackernews.com