Analysis of a relatively new backdoor suggests hackers are going out of their own way to create malware that is almost impossible to detect.
According to a new report from SophosLabs, Glupteba is one example of malware that is particularly adept at avoiding detection.
Harnessed mostly to distribute cryptominers (malware that uses the infected device to mine cryptocurrency), Glupteba installs rootkits to hide its processes and components and steal browser information by collecting cookies, history and credentials.
It also forwards network requests by installing its own proxy components, exfiltrates a massive amount of device data and hijacks vulnerable routers.
According to SophosLabs, its operators have spent “inordinate” amounts of time making sure it stays hidden in plain sight. This includes developing watchers that continuously monitor the performance of Glupteba’s own processes to ensure they do not fail (which could trigger an alert) and adding itself to the exclusion lists for Windows Defender.
"The most unscrupulous threat actors design their malware to be stealthy. This means that they strive to stay under the radar and remain in the wild for a long time, performing reconnaissance and collecting information to determine their next move and to hone their malicious techniques,” said Luca Nagy, Security Researcher at Sophos.
“While researching Glupteba, we realized the actors behind the bot are investing immense effort in self-defence. Security teams need to be on the lookout for such behaviour. In addition, Glupteba is designed to be generic, capable of implementing a wide range of different malicious activities through its different components and extensive backdoor functions.”