THE Stupidity The botnet was discovered to incorporate a previously undocumented UEFI (Unified Extensible Firmware Interface) bootkit functionality, adding an additional layer of sophistication and stealth to the malware.
“This bootkit can intervene and control the [operating system] startup process, allowing Glupteba to hide and create a hidden persistence that can be extremely difficult to detect and remove,” Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik said in an analysis Monday.
Glupteba is a complete information stealer and backdoor capable of facilitating illicit cryptocurrency mining and the implementation of proxy components on infected hosts. It is also known to leverage the Bitcoin blockchain as a backup command and control (C2) system, making it resistant to takedown efforts.
Some of the other functions allow it to provide additional payloads, siphon credentials and credit card data, perform ad fraud, and even exploit routers to gain credentials and remote administrative access.
Over the past decade, modular malware has evolved into a sophisticated threat that employs elaborate, multi-stage infection chains to evade detection by security solutions.
A November 2023 campaign observed by the cybersecurity firm involves using pay-per-install (PPI) services like Ruzki to distribute Glupteba. In September 2022, Sekoia connected Ruzki to activity clusters, leveraging PrivateLoader as a conduit to propagate next-stage malware.
This takes the form of large-scale phishing attacks where PrivateLoader is delivered in the form of an installation file for cracked software, which then loads SmokeLoader which, in turn, launches RedLine Stealer and Amadey, with the latter ultimately eliminating Glupteba.
“Threat actors often deploy Glupteba as part of a complex infection chain that spreads several malware families at once,” the researchers explained. “This chain of infections often starts with a PrivateLoader or SmokeLoader infection that loads other malware families, then loads Glupteba.”
Proving that the malware is actively maintained, Glupteba comes with a UEFI bootkit that incorporates a modified version of an open source project called EfiGuard, which is capable of disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time .
It’s worth pointing out that older versions of the malware have been found to “install a kernel driver that the bot uses as a rootkit and make other changes that weaken the security layer of an infected host.”
“The Glupteba malware continues to stand out as a notable example of the complexity and adaptability exhibited by modern cybercriminals,” the researchers said.
“The identification of an undocumented UEFI bypass technique within Glupteba highlights this malware’s ability to innovate and evade. Additionally, with its role in Glupteba distribution, the PPI ecosystem highlights collaboration and monetization strategies employed by cybercriminals in their attempts at mass infections.”