The widespread, multitooled Glupteba malware has adopted a Unified Extensible Firmware Interface bootkit, allowing it to stealthily persist inside of Windows systems despite reboots, by manipulating the process by which the operating system is loaded.
Glupteba is a malware behemoth: a combination backdoor-infostealer-loader-cryptominer-malvertiser-botnet, built modularly to allow even more components to be added at will by its operators.
Among its many capabilities are some extra-special features, too, such as using the Bitcoin blockchain as a backup command-and-control system, and being able to hide itself with Windows kernel drivers.
Its latest shiny feature is an upgrade on that last bit.
In a campaign observed by Palo Alto Networks' Unit 42 last November, Glupteba came fitted with an incisive bootloader implant, ensuring that it can start running on infected Windows machines even before Windows itself does.
The New Bootloader In years prior, Glupteba achieved serious levels of persistence and evasion by manipulating Windows drivers.
It would drop a known vulnerable driver, then use open source tools like DSEFix or UPGDSED to override Windows' requirement that drivers be validated by digital signatures.
Now the botnet has incorporated a new open source tool called EfiGuard, which achieves even more sophisticated, lower-level access by taking advantage of UEFI, a specification which replaced the basic input/output system, used to connect a machine's firmware to its operating system.
In short, the bootkit contains an implant for the EFI system partition - located in a machine's boot device and containing the Windows Boot Manager - which disables driver signature enforcement as well as PatchGuard, the Windows function that prevents changes to the kernel.
It allows Glupteba to operate in this privileged space, executing its code before Windows is able to start up in the first place, making the job of detecting and removing it far more difficult for affected organizations.
As Palo Alto noted in its report, any given scenario - depending on the architecture, OS version, and configuration of a targeted machine - might call for DSEFix, UPGDSED, or EfiGuard.
None of the three appear to bypass Windows' Secure Boot feature, like BlackLotus can.
Glupteba's Remarkable Longevity & Spread Besides being one of the most powerful, Glupteba is also one of the world's longest-standing examples of malware out there.
Beginning as a simple backdoor in the early 2010s, it gradually evolved into a multipronged botnet able to steal credit card data and credentials from various software, perform digital ad fraud, hijack and mine cryptocurrencies, gain remote admin access on routers, and download additional payloads with more features therein.
It can be no wonder that by the following decade it already had more than a million Windows devices under its spell, with thousands more added every day.
Glupteba got so big that, powerless to stop it by conventional means, it inspired litigation from Google.
Google's efforts helped disrupt Glupteba until it roared back in December 2022.
Rochberger attributes its revival to the pay-per-install market, in which Dark Web traffickers charge operators of malware such as Glupteba a certain number of infections worldwide in exchange for flat-rate payments.
The same goes for geographic regions: Glupteba's 2023 campaign spread across countries as diverse as Greece and Nepal, Bangladesh, Brazil, Korea, Algeria, Ukraine, Slovakia, Turkey, Italy, and Sweden.
For organizations already affected, as well as those more lucky, Rochberger recommends proactivity and diligence.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 13 Feb 2024 21:45:09 +0000