Rewterz Threat Alert – Glupteba Botnet Utilizes Previously Unknown UEFI Bootkit for Detection Evasion – Active IOCs

Severity

High

Analysis Summary

The Glupteba botnet has been recently discovered to utilize an undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature which helps it to add another layer of stealth and sophistication. The bootkit is capable of intervening and taking control of the operating system’s boot process, allowing Glupteba to achieve a stealthy persistence and making it extremely challenging to detect.

Glupteba is an information stealer and backdoor with fully-featured capabilities to perform illicit cryptocurrency mining and propagate proxy components on compromised machines. It is infamous for using the Bitcoin blockchain as a backup command-and-control (C2) system, which makes it tough to take down easily. Some of its other functions are being able to deploy additional payloads, steal credentials and credit card data, commit ad fraud, and even abuse routers to harvest credentials and gain remote administrative access. This modular malware has shown significant development over the past 10 years as it has now metamorphosed into an advanced threat that can employ multi-stage infection chains to fly under the radar of security solutions.

A campaign that researchers observed in November 2023 showed the adversary leveraging pay-per-install (PPI) services like Ruzki to spread Glupteba. In September 2022, Ruzki was attributed to activity clusters that used PrivateLoader as a conduit to distribute next-stage malware. Large-scale phishing attacks were carried out in which PrivateLoader was propagated posing as installation files for cracked software, which later loaded SmokeLoader and launched RedLine Stealer as well as Amadey, finally dropping Glupteba.

Notably, threat actors often prefer to spread Glupteba as part of a complex infection chain that starts with delivering various malware families at the same time. As observed, this infection chain usually starts with a PrivateLoader or SmokeLoader infection responsible for dropping other malware families, and finally loading Glupteba.

The botnet malware seems to be actively maintained by its developers as the latest variant comes fitted with a UEFI bootkit that uses a modified version of an open-source project named EfiGuard, which can disable PatchGuard and Driver Signature Enforcement (DSE) at boot time. The previous versions of the malware were capable of installing a kernel driver that the bot uses as a rootkit and making changes that can weaken the security of a compromised device.

A new Glupteba campaign resurfaced in 2023 that targeted a wide range of regions and sectors worldwide, like Nepal, Greece, Bangladesh, Korea, Brazil, Ukraine, Algeria, Turkey, Slovakia, Sweden, and Italy. The malware continues to demonstrate how complex and adaptable modern malware has become. The identification of a previously unknown UEFI bypass technique with Glupteba highlights the malware’s capability for evasion and innovation. The PPI ecosystem also underlines the monetization strategies and collaboration that are used by threat actors to cause mass infections.

Impact

• Sensitive Data Theft
• Cryptocurrency Theft
• Unauthorized Access

Indicators of Compromise

Domain Name

• weareelight.com
• onualituyrs.org
• snukerukeutit.org
• stualialuyastrelia.net
• sumagulituyo.org
• criogetikfenbut.org
• humydrole.com
• kggcp.com
• kumbuyartyty.net
• lightseinsteniki.org
• liuliuoumumy.org

MD5

• 8f56db1681ac00a5f05e9746414ebfe9
• d91200f27b0de081354ef30c390086c5
• 0c8f305fb05348c1c194b951deafbce5
• 97c6f6965122bf82cb39d5759b341f15
• 6c85ef1959d78b550c39d682f269d20b
• 518e3509a931f50451c1f835f2733263
• 75056f55aeca2aae16a362ed5a2bdcd8
• 7f4e9dd96935a7508170f8a3f50e8e6d
• 17acb515b5fa45def030b191e5bc7991
• 2b84cb96ae6280c2020fa46e4a8a07d8

SHA-256

• cfc7111da7b09e7a93b93ce690f2a4d922cc1009fea8368300f06c6fa4f85472
• 17e4590eceb4fec1e08c29b206d424172753d8472395f37d0647249ceff25817
• 61ab0e1ddaae4704999c4781deea56e1df5b05489bf4c0b892c47b36a63de9f4
• b6604ae49298c59e148b1e741ef8821ffd60c775bfb9c3234783452c54cd3069
• cb347e06d97fde4c7f8dd77be59b8f57d47f6e3f998d708d21a5963bc1620835
• 46eb8b98738df13a3a8c923228ca82006c7d403c7a1aac2d6bc752023b432915
• aa3257efb3182a98f73ad413b34f68067f42c3c51b68d15abea5db01173afad8
• 75bb73decf9fd21643b834a0b3e21e8e0d33910e51efbe56a2162f1180d04802
• 9fdb7c1359f3f2f7279f1df4bde648c080231ed21a22906e908ef3f91f0d00ee
• 01e86a4dfe6e0de7857b3cf2fafd041c8b3a3241e00844cb6bfbd3bfae2d36bc

SHA-1

• 65a84da42ff2c18fc72beff5b8e1fc3c0f09e17b
• d8dc6f85b5a0cffbcb20240988e29f3eb4504abc
• a711d7874c8d3727ce2c7381a0b7c666b6c3b8f6
• 7aca6085d6539e2eaa77a51c2a0b16a82b93b4b3
• 1d2e8ced92b5d6b6375fd5cbd475b8632d5170fc
• 3993463507a7b1f0b9dec276060eeb41772a9016
• b55c72a17cff2bfb7e6ca3696cb55945b5dc0525
• c26321b41544cabd552910442ecacbd336d1f3d9
• 539e0729c6fe8460f20a0df044dce5d3ab629e7c
• e920e40cfc0c6a805d657c8f23f9c0612cd39f59

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
• Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
• Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links.
• Implement network segmentation to restrict access and isolate critical systems, such as those hosting sensitive financial information or accounts. This prevents lateral movement of malware and limits the impact of a potential compromise.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.