Tuesday, October 6, 2020 – 11:40 GMT
Kaspersky Lab researchers addressed the discovery of a spy program that used MosaicRegressor ‘s complicated modular framework, which contained, among other items..
A Single Extensible Firmware Interface (UEFI) bootkit, only the second known to experts in the entire history of observations.
For hackers, UEFI attacks are the true Holy Grail. After all, UEFI is loaded before the operating system and at a “early start” manages all operations. Therefore, the most danger associated with breaching this environment: you will take full control of the machine if you make modifications to the UEFI code.
Change memory, disk contents, for example, or, as in the case of the MosaicRegressor bootkit, cause a malicious file to be initiated by the operating system. Since we are talking about low-level ransomware, substituting the hard drive or reinstalling the OS would not work to get rid of it.
Such attacks, however, are exceedingly rare.
The truth is that it is impossible to carry out interference at such a low level, and attackers either require physical access to the system or will have to breach targets by using complicated supply chain attacks (within which UEFI or UEFI-operating instruments will be modified).
In 2018, ESET specialists developed the first bootkit for UEFI. Then the researchers concluded that it was the work of Fancy Bear, the Russian-speaking government hack squad. Today, researchers at Kaspersky Lab assign Chinese-speaking hackers to the authorship of MosaicRegressor.
The operation of MosaicRegressor was detected using Firmware Scanner technology that has been used in Kaspersky Lab products since the beginning of 2019 and was explicitly designed to detect threats embedded in ROM BIOS chips, including images of UEFI firmware.
The specialists find that the components of the bootkit are based on the Vector-EDK code in the process of studying the MosaicRegressor infrastructure.
This is a special constructor created by the Hacking Team , which includes instructions for constructing a UEFI blinking board, among other items.
Let me remind you that this and other Hacker Team tools “leaked” into the public domain in 2015, enabling attackers to build their own program with minimal effort: they merely applied the source code to a malicious component.
On only two platforms, the UEFI bootkit was found, while on several machines, other MosaicRegressor components were found.
The hackers obviously very deliberately picked the targets for their attacks: they were all diplomats and NGOs in Africa , Asia and Europe.
This file is a downloader, it interacts with the management system, gathers, stores and sends back to the manager all recent documents on the computer. Probably, this is just espionage, says Igor Kuznetsov, Kaspersky Lab ‘s leading cybersecurity specialist.
We have also identified other components of MosaicRegressor that are supposed to be dumped from the management server itself, running malicious code, and then erased. Information is now available on two UEFI bootkit casualties, as well as on many campaign casualties facing spear phishing. All of them are diplomats or members of NGOs, and their activities are related to North Korea.
There are various UEFI contamination methods: if this microchip has not been adequately secured, then you can run a malicious firmware variant using a special program or even a legitimate utility to upgrade UEFI. A system requiring physical access to equipment is also available,-adds Igor Kuznetsov. — Be that as it may, we are working with a strong, sophisticated cyber-attack weapon, which not every attacker can do.
There is, however, a danger of reusing the technology with the existence of ready-made working examples, especially because anybody can still download the instructions for it. This incident reveals that attackers are getting more innovative and refining their tactics constantly.