Uses a rootkit to avoid detection. Glupteba includes a variety of Windows kernel drivers that hide the existence of specific files and processes. Kernel rootkits are unusual today because they’re complex to write and often draw unnecessary attention to themselves. If loaded successfully, rootkits help cybersecurity threats keep malware files off the radar of security tools.
Turns off security tools. The malware has a module that does its best to turn Windows Defender off, and then regularly checks to make sure it hasn’t turned itself back on. It also looks for other security tools, including antivirus software and system monitoring programs, killing them off so they can no longer search for and report anomalies.
Exploits EternalBlue. It uses two different variants of the EternalBlue exploit to distribute itself automatically across a network and then can use a home network as a launchpad to reach out just about anywhere else. That makes it more of an old-school, self-spreading computer worm rather than a standalone piece of malware.
Attacks home routers. The malware bundles in various exploits against popular home and small business routers, using the victim’s computer as a jumping off point for future attacks. This casts the victim as an attacker.
Steals browser data. Glupteba goes after local data from four browsers: Chrome, Firefox, Yandex and Opera – and then uploads them to the bad guys. Browser files often contain sensitive information such as URL history, authentication cookies and login details.
Leverages a cryptojacker. Along with everything else it does, Glupteba acts as a secret management tool for two different cryptomining tools.
With digital transformation and cloud adoption, most business users can have regular access to sensitive data. CyberArk’s Gil Rapaport discusses the need for additional layers of security amid a spate of insider threats.