Lucene search

K
thnThe Hacker NewsTHN:D31D6F701E39475F33D37784AE99E07E
HistoryOct 06, 2020 - 8:33 a.m.

New 'MosaicRegressor' UEFI Bootkit Malware Found Active in the Wild

2020-10-0608:33:00
The Hacker News
thehackernews.com
165

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

uefi bootkit malware

Cybersecurity researchers have spotted a rare kind of potentially dangerous malware that targets a machine’s booting process to drop persistent malware.

The campaign involved the use of a compromised UEFI (or Unified Extensible Firmware Interface) containing a malicious implant, making it the second known public case where a UEFI rootkit has been used in the wild.

According to Kaspersky, the rogue UEFI firmware images were modified to incorporate several malicious modules, which were then used to drop malware on victim machines in a series of targeted cyberattacks directed against diplomats and members of an NGO from Africa, Asia, and Europe.

Calling the malware framework “MosaicRegressor,” Kaspersky researchers Mark Lechtik, Igor Kuznetsov, and Yury Parshin said a telemetry analysis revealed several dozen victims between 2017 and 2019, all of whom had some ties to North Korea.

UEFI is a firmware interface and a replacement for BIOS that improves security, ensuring that no malware has tampered with the boot process. Because UEFI facilitates the loading of the operating system itself, such infections are resistant to OS reinstallation or replacement of the hard drive.

“UEFI firmware makes for a perfect mechanism of persistent malware storage,” Kaspersky said. “A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded.”

That’s exactly what this threat actor appears to have done. Although the exact infection vector employed to overwrite the original firmware remains unknown at this stage, a leaked manual suggests the malware may have been deployed through physical access to the victim’s machine.

UEFI Bootkit Malware

The new UEFI malware is a custom version of the Hacking Team’s VectorEDK bootkit, which was leaked in 2015 and has since been available online. It’s used to plant a second payload, called the MosaicRegressor — “a multi-stage and modular framework aimed at espionage and data gathering” that consists of additional downloaders to fetch and execute secondary components.

The downloaders, in turn, contact the command-and-control (C2) server to grab next-stage DLLs in order to execute specific commands, the results of which are exported back to the C2 server or forwarded to a “feedback” mail address from where the attackers can collect the amassed data.

The payloads are transferred in a variety of ways, including via e-mail messages from mailboxes (“mail.ru”) hard-coded in the malware’s binary.

In some cases, however, the malware was delivered to some of the victims via spear-phishing e-mails with embedded decoy documents (“0612.doc”) written in Russian that purported to discuss events related to North Korea.

With regards to the identity of the threat actor behind MosaicRegressor, Kaspersky said it found multiple code-level hints that indicate they were written in Chinese or Korean and noted the use of Royal Road (8.t) RTF weaponizer, which has been tied to multiple Chinese threat groups in the past.

UEFI Bootkit Malware

Lastly, Kaspersky found a C2 address in one of MosaicRegressor’s variants that have been observed in connection with Chinese hacker groups broadly known as Winnti (aka APT41).

“The attacks […] demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine,” Kaspersky concluded.

“It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Related for THN:D31D6F701E39475F33D37784AE99E07E