Malware operators spend an inordinate amount of time and resources developing features to hide malware from cybersecurity software. New analysis of Glupteba malware (one of these stealthy strains) says cybercriminals go a long way to remain unnoticed on an infected system, increasing the ability to deliver additional payloads and map a victim's network. SophosLabs researchers have discovered a multitude of creative techniques used by the malware, including adding to Windows Defender exception lists, masking communications with command and control servers, and installing rootkits to mask its processes. The creators have also developed measures to closely monitor malware processes, ensuring they are running safely and thus minimizing the chances of triggering a network alert. “The most unscrupulous threat actors see their malware as stealthy. This means that they strive to stay under the radar and stay in the wild for a long time, conducting reconnaissance and gathering information to determine their next move and refine their malicious techniques," said Luca Nagy, a security researcher at Sophos. "During our investigation into Glupteba, we realized that the actors behind the robot were investing immense efforts in self-defense. Security teams need to be vigilant against such behavior,” he added.
malware detection
The most alarming consequence of the rise of stealth-based approaches among hackers is the possibility of secondary infections. While Glupteba is inherently dangerous, capable of removing web browser information (including account credentials), extracting large amounts of device data, and hijacking vulnerable routers, the real threat lies in its ability to pave the way for new malicious payloads. . The most common payload associated with Glupteba is a cryptominer, which uses the victim's computing power to mine cryptocurrency (a process known for its high energy consumption and therefore high cost) on behalf of the hacker. However, , Sophos believes that the malware portfolio of associated payloads will only grow with incremental improvements. “If I had to make an educated guess, I would say that the Glupteba attackers are looking to sell themselves as a malware distribution vendor as a service provider to other malware vendors who value longevity and stealth compared to the noisy end stage of, for example, a ransomware payload," Nagy said. To minimize the risk of getting a malware infection in the first place, Sophos recommends that users be especially careful when running executable programs of questionable origin, to ensure that all software and firmware are up to date. update and install antivirus software on all devices.