Widespread attacks spreading the Glupteba malware in November involved the integration of a newly discovered EfiGuard Unified Extensible Firmware Interface bootkit that has provided the botnet with self-concealment and increased stealth through the deactivation of Driver Signature Enforcement and PatchGuard, The Hacker News reports.
Organizations in various industries across Europe and Asia have been targeted by the attack campaign, which commenced with the utilization of pay-per-install services that trigger an attack chain that deploys PrivateLoader or SmokeLoader before Glupteba, which then performs data exfiltration, cryptocurrency mining, and further payload delivery, according to a report from Palo Alto Networks' Unit 42 researchers.
"The identification of an undocumented UEFI bypass technique within Glupteba underscores this malware's capacity for innovation and evasion. Furthermore, with its role in distributing Glupteba, the PPI ecosystem highlights the collaboration and monetization strategies employed by cybercriminals in their attempts at mass infections," said researchers.
