Malware operators are spending an inordinate period of time and assets growing options to hide malicious methods from cybersecurity tool.
In step with a brand new research of Glupteba malware (one such stealth-oriented pressure), cybercriminals are going to excessive lengths to stay undetected in an inflamed device – increasing the chance to ship further payloads and map out a sufferer’s community.
Researchers at SophosLabs exposed a mess of inventive ways used by the malware, together with including itself to Windows Defender exception lists, masking communications with command-and-control servers and installing rootkits to conceal its processes.
The creators also developed measures to closely monitor the malware’s processes, ensuring they perform without failure and thereby minimizing the chances of triggering a network alert.
“The most unscrupulous threat actors design their malware to be stealthy. This means that they strive to stay under the radar and remain in the wild for a long time, performing reconnaissance and collecting information to determine their next move and hone their malicious techniques,” explained Luca Nagy, Security Researcher at Sophos.
“While researching Glupteba, we realized the actors behind the bot are investing immense effort in self-defense. Security teams need to be on the lookout for such behavior,” she added.
The most alarming consequence of the increase in stealth-based approaches among hackers is the potential for secondary infections.
Although Glupteba is dangerous in its own right – capable of scraping web browser information (including account credentials), exfiltrating large volumes of device data and hijacking vulnerable routers – the real threat lies in its ability to pave the way for further malicious payloads.
The most common payload associated with Glupteba is a cryptominer, which uses the victim’s compute power to mine cryptocurrency (a process infamous for its high energy consumption, and therefore high cost) on behalf of the hacker.
However, Sophos believes the malware’s portfolio of associated payloads will only expand as incremental improvements are made.
“If I were to make an educated guess, I’d say the Glupteba attackers are angling to market themselves as a malware-delivery-as-a-service provider to other malware makers who value longevity and stealth over the noisy endgame of, for instance, a ransomware payload,” said Nagy.
To minimize the chances of suffering a malware infection in the first place, Sophos advises users take particular care when running executable programs of dubious origin, ensure all software and firmware is up to date, and install antivirus software on all devices.