This sneaky malware goes to unusual lengths to cover its tracks

Glupteba creates a backdoor into infected Windows systems - and researchers think it'll be offered to cyber criminals as an easy means of distributing other malware.
Written by Danny Palmer, Senior Writer

A malware campaign that creates a backdoor providing full access to compromised Windows PC, while adding them to a growing botnet, has developed some unusual measures for staying undetected.

Glupteba first emerged in 2018 and started by gradually dropping more components into place on infected machines in its bid to create a backdoor to the system.

The malware is continuously in development and in the past few months it appears to have been upgraded with new techniques and tactics to coincide with a new campaign that has been detailed by cybersecurity researchers at Sophos.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The paper describes Glupteba as "highly self-defending malware" with the cyber-criminal group behind it paying special attention to "enhancing features that enable the malware to evade detection".

However, its method of distribution is relatively simple: it's bundled in pirated software, including cracked versions of commercial applications, as well as illegal video game downloads. The idea is simply to get as many users to download compromised applications that contain the Glupteba payload as possible.

To ensure the best possible chance of a successful compromise, the malware is gradually dropped, bit-by-bit onto the system to avoid detection by any anti-virus software the user may have installed. The malware also uses the EternalBlue SMB vulnerability to help it secretly spread across networks.

But that isn't where the concealment and self-defence ends, because even after installation Glupteba goes out of its way to stay undetected.

"The creators seem to have spent an unusual amount of effort on reinforcing the bot's stealth capabilities compared to other malware," Andrew Brandt, principal researcher at Sophos, told ZDNet.

Glupteba uses a number of software exploits is for privilege escalation, primarily so it can install a kernel driver the bot uses as a rootkit, and make other changes that weaken the security posture of an infected host. 

Sophos said the rootkit renders filesystem behavior invisible to the computer's end user, and also protects any other file the malware decides to store in its application directory. A watcher process then monitors the rootkit and other components for any sign of failure or a crash, and can reinitialize the rootkit driver or restart a buggy component.

"They've also contrived a somewhat convoluted method to conceal their updates to command-and-control server addresses in plain sight, by staging those updates as encrypted data tied to transactions in the bitcoin blockchain," Brandt added.

Glupteba's latest campaign is described as relatively prolific, fitting in with what appears to be the aim of compromising as many computers as possible.

Currently, Glupteba's main activity appears to be cryptocurrency mining. But the way it creates a backdoor into compromised computers, combined with the way in which those behind it look to be attempting to create a large botnet of readily available machines, suggests that the ultimate aim is to lease it out as a means of distributing other forms of malware to victims.

"I'd say the Glupteba attackers are angling to market themselves as a malware-delivery-as-a-service provider to other malware makers who value longevity and stealth over the noisy quick endgame of, for instance, a ransomware payload," said Brandt.

The way in which those behind Glupteba regularly fix any bugs or crashes that emerge also provides evidence that they're looking to maintain as smooth an operation as possible going forward.

SEE: Dreambot malware operation goes silent

The campaign is still active and attempting to recruit more machines into the botnet. The simplest way users can avoid falling victim to Glupteba is by ensuring the critical security update issued to protect against EternalBlue is installed.

Microsoft released the patch in 2017, but EternalBlue remains successful because of the significant number of Microsoft Windows systems around the world that haven't had it installed, putting them at risk of falling victim to this and other malware.

Users should also be wary of downloading applications – especially cracked ones – from untrusted sources.

"The normal general precautions apply here as much as anywhere else: Don't run stuff you shouldn't, keep everything patched, and always make sure you have some sort of malware protection on your computer," said Brandt.


Editorial standards