Glupteba Botnet Adds UEFI Bootkit to Cyberattack Toolbox

The widespread, multitooled Glupteba malware has adopted a Unified Extensible Firmware Interface (UEFI) bootkit, allowing it to stealthily persist inside of Windows systems despite reboots, by manipulating the process by which the operating system is loaded.

Glupteba is a malware behemoth: a combination backdoor-infostealer-loader-cryptominer-malvertiser-botnet, built modularly to allow even more components to be added at will by its operators. Among its many capabilities are some extra-special features, too, such as using the Bitcoin blockchain as a backup command-and-control (C2) system, and being able to hide itself with Windows kernel drivers.

Its latest shiny feature is an upgrade on that last bit. In a campaign observed by Palo Alto Networks' Unit 42 last November, Glupteba came fitted with an incisive bootloader implant, ensuring that it can start running on infected Windows machines even before Windows itself does.

The New Bootloader

In years prior, Glupteba achieved serious levels of persistence and evasion by manipulating Windows drivers. It would drop a known vulnerable driver, then use open source tools like DSEFix or UPGDSED to override Windows' requirement that drivers be validated by digital signatures.

Now the botnet has incorporated a new open source tool called EfiGuard, which achieves even more sophisticated, lower-level access by taking advantage of UEFI, a specification which replaced the basic input/output system (BIOS), used to connect a machine's firmware to its operating system.

In short, the bootkit contains an implant for the EFI system partition (ESP) — located in a machine's boot device and containing the Windows Boot Manager — which disables driver signature enforcement as well as PatchGuard, the Windows function that prevents changes to the kernel. It allows Glupteba to operate in this privileged space, executing its code before Windows is able to start up in the first place, making the job of detecting and removing it far more difficult for affected organizations.

Only a few such bootkits have ever been discovered in the wild before.

"The UEFI bootloader of Glupteba poses serious threats to targeted organizations and can potentially lead to persistent infection, unauthorized access, control over firmware, data loss, and operational disruptions," warns Lior Rochberger, cortex threat researcher at Palo Alto Networks. "Those risks become more challenging and serious, especially since once the bootkit is installed it is very hard to discover and remediate. In the worst case scenario, the operators might even manipulate the hardware component and cause long-term damage to the infected machines."

As Palo Alto noted in its report, any given scenario — depending on the architecture, OS version, and configuration of a targeted machine — might call for DSEFix, UPGDSED, or EfiGuard. However, none of the three appear to bypass Windows' Secure Boot feature, like BlackLotus can.

Glupteba's Remarkable Longevity & Spread

Besides being one of the most powerful, Glupteba is also one of the world's longest-standing examples of malware out there.

Beginning as a simple backdoor in the early 2010s, it gradually evolved into a multipronged botnet able to steal credit card data and credentials from various software, perform digital ad fraud, hijack and mine cryptocurrencies, gain remote admin access on routers, and download additional payloads with more features therein.

It can be no wonder, then, that by the following decade it already had more than a million Windows devices under its spell, with thousands more added every day. Glupteba got so big that, powerless to stop it by conventional means, it inspired litigation from Google.

Google's efforts helped disrupt Glupteba until it roared back in December 2022. Rochberger attributes its revival to the pay-per-install (PPI) market, in which Dark Web traffickers charge operators of malware such as Glupteba a certain number of infections worldwide in exchange for flat-rate payments.

"The industries affected were diverse, since distribution follows more of an approach of spreading as much as possible, not to specific targets," she explains. The same goes for geographic regions: Glupteba's 2023 campaign spread across countries as diverse as Greece and Nepal, Bangladesh, Brazil, Korea, Algeria, Ukraine, Slovakia, Turkey, Italy, and Sweden.

For organizations already affected, as well as those more lucky, Rochberger recommends proactivity and diligence.

"The most important thing is to keep good security hygiene and good security posture — using the most up-to-date security products and applying a multilayered approach that enables organizations to not only detect," she says, "but also to prevent these kinds of sophisticated threats that constantly evolve."