Security software company Sophos lifts the veil on the stealthy activities of worm-focused malware that managed to keep itself hidden until recently.” Glupteba malware has been getting regular updates and feature enhancements that strengthen its ability to conceal detection on infected computers.

Sophos said that the core malware is a dropper with “extensive backdoor functionality.” Sophos researchers found Glupteba in a large number of downloads that claimed to be installers of pirated, commercial software, “but these are not likely to be the only sources of this malware.”

Glupteba takes on a modular approach to the malware to allow downloads and payload execution to extend the functionality of the bot. The payloads are intended to take advantage of the scripts and binaries that are often found in “open-source tool repositories, like Github, and have been lifted whole-cloth from their archives to be leveraged against the victim’s computer,” according to Sophos.

Mapua partners with Sophos in offering cybersecurity courses

Sophos updates endpoint detection, response solution to quickly identify, respond to threats

“The most unscrupulous threat actors design their malware to be stealthy,” said Luca Nagy, security researcher at Sophos and lead author of the report. “This means that they strive to stay under the radar and remain in the wild for a long time, performing reconnaissance and collecting information to determine their next move and to hone their malicious techniques.”

Kernel driver

By using privilege escalation, Glupteba is able to install a kernel driver that the bot uses as a rootkit, “which renders filesystem behavior invisible to the computer’s end-user and also protects any other file the malware decides to store in its application directory. A watcher process then monitors the rootkit and other components for any sign of failure or a crash and can reinitialize the rootkit driver or restart a buggy component.”

The malware uses the Windows Registry to store many of its configuration options under various Registry key names.

Sophos can infer that the bot’s propensity to self-protection and stealth, and this CDN label, that Glupteba’s creators intend this malware to be part of a service offering to other malware publishers, giving them a pay-per-install business model for malware delivery.

“While researching Glupteba, we realized the actors behind the bot are investing immense effort in self-defense,” said Nagy. “Security teams need to be on the lookout for such behavior. In addition, Glupteba is designed to be generic, capable of implementing a wide range of different malicious activities through its different components and extensive backdoor functions.”