Security researchers recently discovered a new UEFI attack, where a compromised UEFI firmware image contained a malicious implant. Part of a malware framework called MosaicRegressor, the attack compromised victims with ties to North Korea between 2017 and 2019.
Unified Extensible Firmware Interface (UEFI) is a technology that connects a computer’s firmware to its operating system. The purpose of UEFI is to eventually replace the legacy BIOS. The technology is installed during manufacturing. It is also the first program running when a computer is started. Unfortunately, the technology has become a target of malicious actors in “exceptionally persistent attacks,” as Kaspersky researchers put it.
New UEFI Malware Found in the Wild
The Kaspersky research team discovered a compromised UEFI firmware image that contained a malicious implant. The purpose of this implant is to run additional malware on targeted machine. The malicious firmware was used in attacks in the wild. This is the second known case of actively exploited UEFI malware.
Why are attackers abusing this technology? As it turns out, one of the reasons is persistency. “UEFI firmware makes for a perfect mechanism of persistent malware storage,” Kaspersky says.
Sophisticated attackers can modify the firmware to have it deploy malicious code that runs after the operating system is loaded. Since it is typically shipped within SPI flash storage that comes with the computer’s motherboard, such implanted malware is resistant to OS reinstallation or replacement of the hard drive.
More about the MosaicRegressor Malicious Framework
According to Kaspersky, components from the MosaicRegressor framework were discovered in a sequence of targeted attacks against diplomats and African, Asian, and European members of an NGO. Their activity showed ties to North Korea.
“Code artefacts in some of the framework’s components and overlaps in C&C infrastructure used during the campaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to groups using the Winnti backdoor,” the report says.
Security researchers believe that Winnti belongs to an umbrella group, meaning that several smaller criminal fractions use it to identify themselves with it. Last year, the Winnti backdoor was using the Skip-2.0 malware to infect Microsoft SQL servers. The campaign relied on a vulnerability in the servers which could allow access to the stored data using a magic password string.
As for the new UEFI malware, it appears to be a custom version of the VectorEDK bootkit. The bootkit’s code was leaked in 2015, and has been available online ever since. The malware is used to plant the MosaicRegressor malicious framework, which is the second payload. MosaicRegressor is capable of cyber espionage and data gathering, and it contains additional downloaders that can execute other, secondary components.
Even though UEFI malware is rare, it continues to be a point of interest to APT (advanced persistent threat) actors. In the meantime, it is being overlooked by security vendors. More information about the MosaicRegressor attack is available in the original Kaspersky report.