The Glupteba malware, known for its multifaceted capabilities, has recently incorporated a Unified Extensible Firmware Interface (UEFI) bootkit, allowing it to persist stealthily inside Windows systems. This new addition allows the malware to manipulate the process by which the operating system is loaded, providing it with a heightened level of persistence and evasion.
In addition to its new UEFI bootkit, Glupteba is a malware powerhouse, encompassing a backdoor, infostealer, loader, cryptominer, malvertiser, and botnet. This modular design enables its operators to add additional components as needed. The malware also utilizes unique features such as using the Bitcoin blockchain as a backup command-and-control (C2) system and the ability to hide itself with Windows kernel drivers.
Glupteba’s adoption of the UEFI bootkit marks a significant upgrade in its capabilities. The malware has historically achieved persistence and evasion by manipulating Windows drivers and using open source tools to override Windows’ driver signature validation requirement. However, with the incorporation of EfiGuard, an open source tool that takes advantage of UEFI, Glupteba can now achieve even more sophisticated, lower-level access within the system.
The new bootloader implant utilized by Glupteba disables driver signature enforcement as well as PatchGuard, a Windows function that prevents changes to the kernel. This implant allows Glupteba to execute its code before Windows starts up, making it significantly more difficult for affected organizations to detect and remove the malware.
According to Lior Rochberger, a cortex threat researcher at Palo Alto Networks, the UEFI bootloader of Glupteba poses serious threats to targeted organizations. He warns that the malware can potentially lead to persistent infection, unauthorized access, control over firmware, data loss, and operational disruptions, making it challenging to discover and remediate.
Glupteba’s history as one of the most robust and enduring malware examples dates back to its origins in the early 2010s as a simple backdoor. Over time, it evolved into a sophisticated botnet capable of stealing credit card data, credentials, performing digital ad fraud, hijacking and mining cryptocurrencies, gaining remote admin access on routers, and downloading additional payloads with enhanced features.
As a result of its capabilities, Glupteba amassed over a million Windows devices under its influence, with thousands more added daily. Efforts to disrupt the malware have been implemented, including litigation from Google. However, the malware experienced a revival in December 2022, attributed to the pay-per-install (PPI) market on the Dark Web, in which operators of malware like Glupteba pay for a specified number of infections worldwide.
Geographically, Glupteba’s 2023 campaign has spread across multiple countries, including Greece, Nepal, Bangladesh, Brazil, Korea, Algeria, Ukraine, Slovakia, Turkey, Italy, and Sweden. For organizations affected by Glupteba, as well as those fortunate enough to avoid infection, proactivity and diligence are crucial. Rochberger emphasizes the importance of maintaining good security hygiene and posture, using up-to-date security products, and applying a multilayered approach to detect and prevent these sophisticated and constantly evolving threats.