Feb 13, 2024NewsroomCryptocurrency / Rootkit

The Glupteba botnet has been found to incorporate a previously undocumented Unified Extensible Firmware Interface (UEFI) bootkit feature, adding another layer of sophistication and stealth to the malware.

“This bootkit can intervene and control the [operating system] boot process, enabling Glupteba to hide itself and create a stealthy persistence that can be extremely difficult to detect and remove,” Palo Alto Networks Unit 42 researchers Lior Rochberger and Dan Yashnik said in a Monday analysis.

Glupteba is a fully-featured information stealer and backdoor capable of facilitating illicit cryptocurrency mining and deploying proxy components on infected hosts. It’s also known to leverage the Bitcoin blockchain as a backup command-and-control (C2) system, making it resilient to takedown efforts.

Some of the other functions allow it to deliver additional payloads, siphon credentials, and credit card data, perform ad fraud, and even exploit routers to gain credentials and remote administrative access.

Over the past decade, modular malware has metamorphosed into a sophisticated threat employing elaborate multi-stage infection chains to sidestep detection by security solutions.

A November 2023 campaign observed by the cybersecurity firm entails the use of pay-per-install (PPI) services such as Ruzki to distribute Glupteba. In September 2022, Sekoia linked Ruzki to activity clusters, leveraging PrivateLoader as a conduit to propagate next-stage malware.

This takes the form of large-scale phishing attacks in which PrivateLoader is delivered under the guise of installation files for cracked software, which then loads SmokeLoader that, in turn, launches RedLine Stealer and Amadey, with the latter ultimately dropping Glupteba.

“Threat actors often distribute Glupteba as part of a complex infection chain spreading several malware families at the same time,” the researchers explained. “This infection chain often starts with a PrivateLoader or SmokeLoader infection that loads other malware families, then loads Glupteba.”

In a sign that the malware is being actively maintained, Glupteba comes fitted with a UEFI bootkit by incorporating a modified version of an open-source project called EfiGuard, which is capable of disabling PatchGuard and Driver Signature Enforcement (DSE) at boot time.

It’s worth pointing out that previous versions of the malware were found to “install a kernel driver the bot uses as a rootkit, and make other changes that weaken the security posture of an infected host.”

“Glupteba malware continues to stand out as a notable example of the complexity and adaptability exhibited by modern cybercriminals,” the researchers said.

“The identification of an undocumented UEFI bypass technique within Glupteba underscores this malware’s capacity for innovation and evasion. Furthermore, with its role in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization strategies employed by cybercriminals in their attempts at mass infections.”

Jan 18, 2024NewsroomFirmware Security / Vulnerability

Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.

Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to achieve remote code execution, denial-of-service (DoS), DNS cache poisoning, and leakage of sensitive information.

UEFI firmware – which is responsible for booting the operating system – from AMI, Intel, Insyde, and Phoenix Technologies are impacted by the shortcomings.

EDK II incorporates its own TCP/IP stack called NetworkPkg to enable network functionalities available during the initial Preboot eXecution Environment (PXE, pronounced “pixie”) stage, which allows for management tasks in the absence of a running operating system.

In other words, it is a client-server interface to boot a device from its network interface card (NIC) and allows networked computers that are not yet loaded with an operating system to be configured and booted remotely by an administrator.

The code to PXE is included as part of the UEFI firmware on the motherboard or within the NIC firmware read-only memory (ROM).

The issues identified by Quarkslab within the EDKII’s NetworkPkg encompass overflow bugs, out-of-bounds read, infinite loops, and the use of weak pseudorandom number generator (PRNG) that result in DNS and DHCP poisoning attacks, information leakage, denial of service, and data insertion attacks at the IPv4 and IPv6 layer.

The list of flaws is as follows –

• CVE-2023-45229 (CVSS score: 6.5) – Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message
• CVE-2023-45230 (CVSS score: 8.3) – Buffer overflow in the DHCPv6 client via a long Server ID option
• CVE-2023-45231 (CVSS score: 6.5) – Out-of-bounds read when handling a ND Redirect message with truncated options
• CVE-2023-45232 (CVSS score: 7.5) – Infinite loop when parsing unknown options in the Destination Options header
• CVE-2023-45233 (CVSS score: 7.5) – Infinite loop when parsing a PadN option in the Destination Options header
• CVE-2023-45234 (CVSS score: 8.3) – Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message
• CVE-2023-45235 (CVSS score: 8.3) – Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message
• CVE-2023-45236 (CVSS score: 5.8) – Predictable TCP Initial Sequence Numbers
• CVE-2023-45237 (CVSS score: 5.3) – Use of a weak pseudorandom number generator

“The impact and exploitability of these vulnerabilities depend on the specific firmware build and the default PXE boot configuration,” the CERT Coordination Center (CERT/CC) said in an advisory.

“An attacker within the local network (and, in certain scenarios remotely) could exploit these weaknesses to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information.”