During the RSA 2017 conference a demo was ran of a ransomware virus created to attack the UEFI of a system. This type of ransomware viruses on a firmware level are nothing new, but this is one of the very first cases where rootkit capabilities are used in ransomware viruses. And what is even more terrifying is that the attack was performed on a Windows 10 machine which interestingly enough was updated with every single update on it and every possible security feature added by default.
Why Is a UEFI Attack Possible?
The fact that this attack has already happened via UEFI is primarily due to the System Management Mode and the permissions of SMM obtained by this specific malware. This particular virus succeeds where others fail, primarily because it uses several layers of payload to obtain privilege escalation which then ensures it control over SMM which in it’s turn provides access to the UEFI interface.
How Does an Infection by This UEFI Ransomware Happen?
The delivery method of this virus begins with one simple app. This application can be published on multiple places online as a fake adobe flash player update, a fake game crack, fake installer or any other type of legitimately looking executable file. It can also be sent out as an e-mail attachment pretending to be anything. If the one who is hacking decides to target a computer and has physical access, he or she can execute the app themselves on a given computer.
What Happens During Infection with UEFI Ransomware?
Cylance experts report that this ransomware infection in particular which is for demonstration purposes may theoretically be conducted with the aid of several exploits in several phases of infection. Once the malicious executable has infected a computer via RCE exploit it drops the first payload of the virus which has another exploit utilizing software, called EoP exploit. It is responsible for dropping a second payload in the operating system’s (Windows 10, build 1703) Kernel. This payload uses the EoP exploit to penetrate the HAL (Hardware Abstraction Layer or Hardware Annotation Library) software subsystem. These services and their exploiting provides direct access to the UEFI Firmware and it’s services which is the third phase of the infection. From there, the UEFI malware used, drops yet another payload, this time directly in the SMM. The exploit is familiar as an SPI Write type of exploit and provides the malware SMM privileges. This allows the malware to infect with a rootkit and do whatever it has been programmed to do.
What Will Happen After This Is Known?
Microsoft, who are constantly improving Windows 10 adding new security features to the UEFI firmware have so far remained without comment on the matter. The bad news here is that even with the latest updates and security improvements, the operating system is still vulnerable to SMM privilege escalaton and this issues needs to be addressed.