UEFI Ransomware Shows Us What Future Crypto-Malware Could Look Like - How to, Technology and PC Security Forum | SensorsTechForum.com

UEFI Ransomware Shows Us What Future Crypto-Malware Could Look Like

During the RSA 2017 conference a demo was ran of a ransomware virus created to attack the UEFI of a system. This type of ransomware viruses on a firmware level are nothing new, but this is one of the very first cases where rootkit capabilities are used in ransomware viruses. And what is even more terrifying is that the attack was performed on a Windows 10 machine which interestingly enough was updated with every single update on it and every possible security feature added by default.

Why Is a UEFI Attack Possible?

The fact that this attack has already happened via UEFI is primarily due to the System Management Mode and the permissions of SMM obtained by this specific malware. This particular virus succeeds where others fail, primarily because it uses several layers of payload to obtain privilege escalation which then ensures it control over SMM which in it’s turn provides access to the UEFI interface.

How Does an Infection by This UEFI Ransomware Happen?

The delivery method of this virus begins with one simple app. This application can be published on multiple places online as a fake adobe flash player update, a fake game crack, fake installer or any other type of legitimately looking executable file. It can also be sent out as an e-mail attachment pretending to be anything. If the one who is hacking decides to target a computer and has physical access, he or she can execute the app themselves on a given computer.

What Happens During Infection with UEFI Ransomware?

Cylance experts report that this ransomware infection in particular which is for demonstration purposes may theoretically be conducted with the aid of several exploits in several phases of infection. Once the malicious executable has infected a computer via RCE exploit it drops the first payload of the virus which has another exploit utilizing software, called EoP exploit. It is responsible for dropping a second payload in the operating system’s (Windows 10, build 1703) Kernel. This payload uses the EoP exploit to penetrate the HAL (Hardware Abstraction Layer or Hardware Annotation Library) software subsystem. These services and their exploiting provides direct access to the UEFI Firmware and it’s services which is the third phase of the infection. From there, the UEFI malware used, drops yet another payload, this time directly in the SMM. The exploit is familiar as an SPI Write type of exploit and provides the malware SMM privileges. This allows the malware to infect with a rootkit and do whatever it has been programmed to do.

What Will Happen After This Is Known?

Microsoft, who are constantly improving Windows 10 adding new security features to the UEFI firmware have so far remained without comment on the matter. The bad news here is that even with the latest updates and security improvements, the operating system is still vulnerable to SMM privilege escalaton and this issues needs to be addressed.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share