The widespread Glupteba multitool malware has adopted a Unified Extensible Firmware Interface (UEFI) bootkit, which allows it to stealthily persist within Windows systems despite reboots by manipulating the process by which the operating system is loaded.
Glupteba is a malware juggernaut: a backdoor-infostealer-loader-cryptominer-malvertiser-botnet combination, built in a modular way to allow its operators to add even more components at will. Among its many features there are also some extra special features, such as using the Bitcoin blockchain as a backup command and control (C2) system and the ability to hide with Windows kernel drivers.
Its latest brilliant feature is an update of the last part. In a campaign observed by Palo Alto Networks Unit 42 last November, Glupteba was given a punchy bootloader implant, ensuring that it can start running on infected Windows machines even before Windows itself does.
The new bootloader
In previous years, Glupteba had achieved high levels of persistence and evasion by manipulating Windows drivers. It would delete a known vulnerable driver, then use open source tools like DSEFix or UPGDSED to bypass Windows’ requirement that drivers be validated via digital signatures.
Now the botnet has incorporated a new open source tool called EfiGuard, which allows even more sophisticated, lower-level access by leveraging UEFI, a specification that replaced the basic input/output system (BIOS), used for connect a machine’s firmware to its operating system.
In short, the bootkit contains an implant for the EFI system partition (ESP) — located on a machine’s boot device and containing the Windows Boot Manager — that disables driver signature enforcement as well as PatchGuard, the Windows preventing kernel changes. It allows Glupteba to operate in this privileged space, executing its code before Windows is able to boot, making the task of detecting and removing it much more difficult for affected organizations.
Only a few of these bootkits have ever been discovered in nature first.
“Glupteba’s UEFI bootloader poses a serious threat to targeted organizations and can potentially lead to persistent infections, unauthorized access, firmware control, data loss and operational disruptions,” warns Lior Rochberger, Cortex threat researcher at Palo Alto Networks. “These risks become more challenging and serious, especially because once the bootkit is installed it is very difficult to detect and remediate. In the worst case, operators could even manipulate the hardware component and cause long-term damage to infected machines.”
As Palo Alto noted in its report, any scenario, depending on the architecture, operating system version, and configuration of a targeted machine, could require DSEFix, UPGDSED, or EfiGuard. However, none of the three appear to do so bypass Windows’ secure boot feature, as BlackLotus can do.
In addition to being one of the most powerful, Glupteba is also one of the longest-running examples of malware in the world.
Starting as a simple backdoor in the early 2010s, it has gradually evolved into a multi-pronged botnet capable of stealing credit card data and credentials from various software, performing digital ad fraud, hijacking and mining cryptocurrencies, gaining administrative access remote on routers and download additional payloads. with more features inside.
It’s no wonder, then, that by the next decade it already had more than a million Windows devices under its spell, with thousands more added every day. Glupteba has become so large that, unable to stop it by conventional means, he inspired litigation by Google.
Google’s efforts helped disrupt Glupteba until it returned to prominence in December 2022. Rochberger attributes its resurgence to the pay-per-install (PPI) market, in which Dark Web traffickers charge malware operators like Glupteba a number of infections worldwide in exchange for lump sum payments.
“The sectors affected were different, as distribution follows more of a spread-as-much-as-possible approach, not towards specific targets,” he explains. The same goes for geographical regions: Glupteba’s 2023 campaign has spread to countries as diverse as Greece and Nepal, Bangladesh, Brazil, Korea, Algeria, Ukraine, Slovakia, Turkey, Italy and Sweden.
For organizations already affected, as well as those more fortunate, Rochberger recommends proactivity and diligence.
“The most important thing is to maintain good security hygiene and a good security posture, using the most up-to-date security products and applying a multi-layered approach that allows organizations to not only detect,” he says, “but also prevent this type of sophisticated threats that constantly evolve.”