Pulse Detail — Threat Intelligence

PULSE NAME

Diving Into Glupteba's UEFI Bootkit

WHITE Glupteba AlienVault 2024-02-13 Modified: 2024-02-13

IOCs

HIGH VOLUME

This article describes the infection chain of a new Glupteba malware campaign that took place around November 2023. The analysis reveals Glupteba's use of an undocumented UEFI bootkit that can intervene and control the OS boot process, enabling Glupteba to hide itself and create stealthy persistence. The identification of this novel UEFI bypass technique underscores Glupteba's capacity for innovation and evasion, posing a significant detection challenge.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1543 T1562 T1555 T1542 T1546

MALWARE FAMILIES

Glupteba PrivateLoader SmokeLoader

Indicators of Compromise (52)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	01e86a4dfe6e0de7857b3cf2fafd041c	—	2024-02-13
FileHash-MD5	0c8f305fb05348c1c194b951deafbce5	—	2024-02-13
FileHash-MD5	8f56db1681ac00a5f05e9746414ebfe9	—	2024-02-13
FileHash-MD5	9fdb7c1359f3f2f7279f1df4bde648c0	—	2024-02-13
FileHash-MD5	d91200f27b0de081354ef30c390086c5	—	2024-02-13
FileHash-MD5	f8c080b6120c8ad51706a87a197f3a96	—	2024-02-13
FileHash-SHA1	11963758b724ef55789b5a4e2407d4afbb43ee90	—	2024-02-13
FileHash-SHA1	65a84da42ff2c18fc72beff5b8e1fc3c0f09e17b	—	2024-02-13
FileHash-SHA1	a711d7874c8d3727ce2c7381a0b7c666b6c3b8f6	—	2024-02-13
FileHash-SHA1	d8dc6f85b5a0cffbcb20240988e29f3eb4504abc	—	2024-02-13
FileHash-SHA256	01e86a4dfe6e0de7857b3cf2fafd041c8b3a3241e00844cb6bfbd3bfae2d36bc	—	2024-02-13
FileHash-SHA256	17e4590eceb4fec1e08c29b206d424172753d8472395f37d0647249ceff25817	—	2024-02-13
FileHash-SHA256	18c6e5a916eea979ea52495309e4e643232832bea614688df4cec0e3123b09d0	—	2024-02-13
FileHash-SHA256	3a1cffaaa68dc4b5f0f94a1ec14b008444074a3faefa4beba20c857a21539bc1	—	2024-02-13
FileHash-SHA256	46eb8b98738df13a3a8c923228ca82006c7d403c7a1aac2d6bc752023b432915	—	2024-02-13
FileHash-SHA256	5851e0b4a79208b995ab5a7e1f5247c159aac31c7c166a4bef77be14af64c1e8	—	2024-02-13
FileHash-SHA256	61ab0e1ddaae4704999c4781deea56e1df5b05489bf4c0b892c47b36a63de9f4	—	2024-02-13
FileHash-SHA256	6263a6ceb172eed7bae158d8066f70cabc42b352129547e1b5ad0c1096319d30	—	2024-02-13
FileHash-SHA256	75bb73decf9fd21643b834a0b3e21e8e0d33910e51efbe56a2162f1180d04802	—	2024-02-13
FileHash-SHA256	84575070117b8896bafbd6f5dc364db09bea8e742f4af84884d15cab5e811060	—	2024-02-13
FileHash-SHA256	8a62d01c1f321c4adb8428771af3eae1c83fec8a0e0a047b0bc17a51d19c7c96	—	2024-02-13
FileHash-SHA256	8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205	—	2024-02-13
FileHash-SHA256	9691b5846e230e0ea87b3f8a7a6dc31daae701ca0bb83e6c7df0f683bdea01e6	—	2024-02-13
FileHash-SHA256	9c44bf6c3538c93c95342f5c365de46b6494a5a5764870048df7478a9d0f8723	—	2024-02-13
FileHash-SHA256	9c6af24c519d02203bfbdf568f7beb144996af9676b290a96a728ba9314b1c66	—	2024-02-13
FileHash-SHA256	9fdb7c1359f3f2f7279f1df4bde648c080231ed21a22906e908ef3f91f0d00ee	—	2024-02-13
FileHash-SHA256	a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e	—	2024-02-13
FileHash-SHA256	aa3257efb3182a98f73ad413b34f68067f42c3c51b68d15abea5db01173afad8	—	2024-02-13
FileHash-SHA256	b6604ae49298c59e148b1e741ef8821ffd60c775bfb9c3234783452c54cd3069	—	2024-02-13
FileHash-SHA256	b84adf0716facf50418f5f228cf095e5157b6be3f04a98f26ce833057e804a4f	—	2024-02-13
FileHash-SHA256	bb809863b3145ceef7fc12ae5bca3940f18c4a24f5b4652e7b4cea6847762887	—	2024-02-13
FileHash-SHA256	c353fb081ae8e121c4dcea3ad1bc4061315728a6f0d0ac63885a4f074be5fef3	—	2024-02-13
FileHash-SHA256	c4f45bdfecb3d8cb4dcfdc8f323cf5d15321d161ac92802aa1e77dfa94fd91ed	—	2024-02-13
FileHash-SHA256	c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee	—	2024-02-13
FileHash-SHA256	cb347e06d97fde4c7f8dd77be59b8f57d47f6e3f998d708d21a5963bc1620835	—	2024-02-13
FileHash-SHA256	cfc7111da7b09e7a93b93ce690f2a4d922cc1009fea8368300f06c6fa4f85472	—	2024-02-13
FileHash-SHA256	d0d58229650ff9bf3bbf8edb55c7058a2f243e900473e0ff8849c517c2f165bd	—	2024-02-13
FileHash-SHA256	df75b62e373e0b91f26384b21aaa8e4dc86c13078cec7e32ad595d0c86d3fedb	—	2024-02-13
FileHash-SHA256	e4a2b53965b9d203d13dd4b5962b9f07270bb87e5738f44cf1126ce36019427d	—	2024-02-13
FileHash-SHA256	fdd2fbe16f96f6d2b027347fd35c2e105a483a55b43f094754c2b3374ffb051a	—	2024-02-13
domain	criogetikfenbut.org	—	2024-02-13
domain	dpav.cc	—	2024-02-13
domain	humydrole.com	—	2024-02-13
domain	kggcp.com	—	2024-02-13
domain	kumbuyartyty.net	—	2024-02-13
domain	lightseinsteniki.org	—	2024-02-13
domain	liuliuoumumy.org	—	2024-02-13
domain	onualituyrs.org	—	2024-02-13
domain	snukerukeutit.org	—	2024-02-13
domain	stualialuyastrelia.net	—	2024-02-13
domain	sumagulituyo.org	—	2024-02-13
domain	weareelight.com	—	2024-02-13

References (1)

↗ https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/