Sophos Unmasks Glupteba — Malware Hiding in Plain Sight

Sophos raises awareness on a malware family whose infection numbers have been steadily rising this 2020. Sophos has published a report on Glupteba, a malware which main prowess is its ability to stay hidden from its victim. Since the beginning of the year, Sophos has seen updates and feature enhancements on the malware along with increasing infection numbers.

Glupteba essentially is a dropper with extensive backdoor functionality that is capable to hide from view of the victim and their security software. This makes the malware effective in infecting a system while also avoiding detection by the user or any security software.

The dropper executes it’s tasks using downloaded payloads found from open source tool repositories, such as Github. These payloads consist of exploit scripts and binaries used as extended functionality of the dropper. Glupteba’s servers transfer them into an infected computer undetected.

Exploits done by the dropper use privilege escalation to ensure it can bypass restrictions. It allows installation of a kernel driver as a rootkit, and tamper with settings that weaken security performance. The rootkit masks any sign of filesystem behavior and safeguards any file by storing it in its directory. A watcher process monitors any potential errors and failures in its system. Using this, any crashed components can be rebooted, including the kernel driver.

Also Read: Sophos: Bundlore Adware with Updated Safari Extensions, macOS Targeted

Another task of the bot is to look for other uninfected devices connected to the same network. This gives Glupteba more access to spread in more ways than using fake pirated software as a front to make oblivious users download the dropper.

The watcher process transmits recorded application crashes and bugs to their creators for them to improve upon. Since the malware’s stealth capabilities should make it undetectable, essential enhancements need feedback from running processes.

Glupteba’s stores its configuration settings and options by using the Windows Registry, hiding behind unsuspecting Registry key names. The names of some of the values in the malware’s configuration can provide an indication to their creators’ motives. In one instance, its C2 server stores its name in a key labeled as “CDN” or “Content Delivery Network”. It is a service that uses caches to store frequently-requested data for faster transmission to a large populace.

Due to the malware having a CDN label and effectiveness in evading detection and protecting itself, Sophos deduces that it may be in the interest of the malware’s creators to advertise their work. It may be a service offering to malware publishers, earning profit in providing undetected malware distribution.

For further information regarding the Glupteba malware, read the Sophos Labs Uncut Article.

Facebook Comments