Home / Industry

Digging Deep to Examine the Roots of the Glupteba UEFI Bootkit

Glupteba, an advanced piece of malware, has been used in several cybercriminal attacks for more than a decade now. But Palo Alto’s Unit 42 only brought to light one of the features that made it so effective—its Unified Extensible Firmware Interface (UEFI) bootkit component, which allowed it to intervene and control the operating system (OS) boot process and be extremely difficult to detect and remove, last November 2023.

That same Unit 42 analysis also unveiled 12 domains identified as Glupteba indicators of compromise (IoCs).

In a bid to uncover more potentially connected artifacts, the Threat Intelligence Platform (TIP) research team expanded the list of IoCs and found:

  • 3,612 registrant-connected domains, 838 of which turned out to be malicious
  • Three email-connected domains
  • Four additional IP addresses, all of which turned out to be associated with various threats
  • Five string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the Glupteba IoCs

To gather more information about the Glupteba IoCs, we looked at their WHOIS records first. We discovered that:

  • They were distributed among three registrars. Gandi SAS and Web Commerce Communications Limited administered five domains each while Gransy S.R.O. handled two.
  • All of them were created in 2023.
  • Eleven of them were spread across three registrant countries. Five were registered in the U.S., four in Malaysia, and two in Russia. One domain did not have registrant country data in its current WHOIS record.

  • Four domains—lightseinsteniki[.]org, liuliuoumumy[.]org, snukerukeutit[.]org, and sumagulituyo[.]org—had public registrant organization details. All of them belonged to a single organization, in fact.

Glupteba IoC DNS Connections

We then proceeded with expanding the list of Glupteba IoCs to uncover more information about the bootkit’s infrastructure.

First, we looked for other domains whose WHOIS records contained the same registrant organization as the domain IoCs lightseinsteniki[.]org, liuliuoumumy[.]org, snukerukeutit[.]org, and sumagulituyo[.]org. We found 3,612 registrant-connected domains after duplicates and the IoCs were removed. A total of 838 of them turned out to be malicious. Here are five examples that have been flagged for at least two associated threat types.

MALICIOUS REGISTRANT-CONNECTED DOMAINASSOCIATED THREAT TYPES
abscete[.]infoMalware
Command and control (C2)
ahoravideo-chat[.]comC2
Malware
Generic
blesblochem[.]comMalware
C2
ge5r6h7tjrfrhegs[.]topMalware
C2
grectedparices[.]ruMalware
C2

It is also interesting to note that threat actors could have chosen at least 24 of the malicious registrant-connected domains for use in attacks since they contained popular text strings or closely resembled those belonging to famous brands that could lure more users into clicking them. These strings include:

  • adobe (adobe-plugin[.]bid)
  • brian-krebs (brian-krebs-erectile-dysfunction[.]com) and krebs (krebsonsecurity[.]top)
  • dell (dell1[.]ug)
  • facebook (facebook-cdn[.]net)
  • kaspersky (kasperskygay-formula[.]in)
  • linkedim (linkedim[.]in)
  • windows (micro-windows[.]in), microsoft (microsoft-office-free-templates[.]in), office (officecloud[.]top), and win (win7-update[.]com)
  • mozilla (mozillaupdates[.]us)

Next, we dove deeper into the 12 domain IoCs’ historical WHOIS records. That led to the discovery of 30 email addresses, 11 of which were public. Two of the public email addresses appeared in the current WHOIS records of three domains (after duplicates, the IoCs, and the registrant-connected domains were removed) that could be part of the Glupteba infrastructure.

After that, we looked at the 12 domain IoCs’ DNS records that allowed us to determine that they resolved to four IP addresses after duplicates were filtered out. They were all associated with at least two threat types each.

MALICIOUS IP ADDRESSASSOCIATED THREAT TYPES
104[.]198[.]2[.]251C2Malware
34[.]143[.]166[.]163C2
Malware
Generic
Phishing
34[.]168[.]225[.]46C2
Malware
Generic
34[.]94[.]245[.]237C2
Malware
Phishing

These four IP addresses were geolocated in two countries—three in the U.S. and one in Singapore.

All four IP addresses were administered by a single ISP—Google LLC. None of them appeared to be dedicated, though, which hindered us from obtaining IP-connected domains.

To cover all the bases, we scoured the DNS for domains starting with text strings found among the 12 domain IoCs created since 1 November 2023 when the campaign was believed to have started. We discovered that one of them—dpav.—also appeared in five other domains after filtering out duplicates, the IoCs, and the registrant- and email-connected domains.


Our analysis of the Glupteba UEFI bootkit IoCs enabled us to uncover 3,624 potentially connected artifacts comprising 3,612 registrant-connected domains, three email-connected domains, four IP addresses, and five string-connected domains. A total of 842 of them—838 registrant-connected domains and four IP addresses—were associated with various threats as of this writing.

We also learned that at least 24 of the malicious registrant-connected domains may have mimicked famous brands or their products (i.e., Adobe, Dell, Facebook, LinkedIn, Kaspersky, Microsoft, and Mozilla) and personalities (i.e., Brian Krebs) in hopes of luring more victims in.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC