Malware operators are spending an inordinate amount of time and resources developing features to conceal malicious programs from cybersecurity software.
According to a new analysis of Glupteba malware (one such stealth-oriented strain), cybercriminals are going to extreme lengths to remain undetected in an infected system – expanding the opportunity to deliver additional payloads and map out a victim’s network.
Researchers at SophosLabs uncovered a multitude of creative techniques utilized by the malware, including adding itself to Windows Defender exception lists, masking communications with command-and-control servers and installing rootkits to conceal its processes.
The creators also developed measures to closely monitor the malware’s processes, ensuring they perform without failure and thereby minimizing the chances of triggering a network alert.
“The most unscrupulous threat actors design their malware to be stealthy. This means that they strive to stay under the radar and remain in the wild for a long time, performing reconnaissance and collecting information to determine their next move and hone their malicious techniques,” explained Luca Nagy, Security Researcher at Sophos.
“While researching Glupteba, we realized the actors behind the bot are investing immense effort in self-defense. Security teams need to be on the lookout for such behavior,” she added.
The most alarming consequence of the increase in stealth-based approaches among hackers is the potential for secondary infections.
Although Glupteba is dangerous in its own right – capable of scraping web browser information (including account credentials), exfiltrating large volumes of device data and hijacking vulnerable routers – the real threat lies in its ability to pave the way for further malicious payloads.
The most common payload associated with Glupteba is a cryptominer, which uses the victim’s compute power to mine cryptocurrency (a process infamous for its high energy consumption, and therefore high cost) on behalf of the hacker.
However, Sophos believes the malware’s portfolio of associated payloads will only expand as incremental improvements are made.
“If I were to make an educated guess, I’d say the Glupteba attackers are angling to market themselves as a malware-delivery-as-a-service provider to other malware makers who value longevity and stealth over the noisy endgame of, for instance, a ransomware payload,” said Nagy.
To minimize the chances of suffering a malware infection in the first place, Sophos advises users take particular care when running executable programs of dubious origin, ensure all software and firmware is up to date, and install antivirus software on all devices.