New firmware boot kit in the wild

13 October 2020
| No comments
Hacker UEFI Toolkit firmware boot kit

Share post

Kaspersky has discovered a new firmware boot kit in the wild. It is based on the Hacking Team's Toolkit. It has been used to attack diplomats and members of NGOs in Europe, Africa and Asia.

Kaspersky researchers have uncovered an Advanced Persistent Threat (APT) espionage campaign that uses a firmware boot kit. The malware was detected by Kaspersky's UEFI / BIOS scanning technology, which can also detect unknown threats. The scanning technology identified previously unknown malware in the Unified Extensible Firmware Interface (UEFI), an essential part of every modern computing device today, making it very difficult to detect infected devices and remove the malware from them. The malware's UEFI boot kit is a customized version of the Hacking Team boot kit that was leaked in 2015.

UEFI firmware can contain malicious code

The UEFI firmware is an integral part of a computer that runs before the operating system and any programs installed in it. If the UEFI firmware contains malicious code, this code is started before the operating system so that it may not be recognized by security solutions. Because of this, and because the firmware is on a flash chip that is separate from the hard drive, attacks against UEFI are extremely persistent and difficult to remove. A firmware infection essentially means that no matter how often the operating system has been reinstalled, the malware contained in the boot kit remains on the device.

Kaspersky researchers found such UEFI malware as part of a campaign in which variants of a complex, multi-level modular framework called MosaicRegressor were made available. The framework has been used for espionage and data collection, with the UEFI malware being part of the methods to anchor itself on the system.

Vector EDK boot kit served as a template

The UEFI bootkit components are heavily based on the 'Vector-EDK' bootkit developed by Hacking Team, whose source code was leaked in 2015. This most likely allowed the attackers to create their own software with little development effort and detection risk.

The attacks were detected using the firmware scanner, which has been included in Kaspersky products since the beginning of 2019. The technology is specifically designed to detect threats hiding in the ROM BIOS - including UEFI firmware images.

Infection vector unknown

While it was not possible to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware, Kaspersky researchers were able to draw conclusions on how to do this based on information about VectorEDK from leaked Hacking Team documents could. One possibility would be that infection was possible through physical access to the victim's computer. This could have happened using a bootable USB stick that contained a special update utility. The patched firmware would then have enabled a Trojan downloader to be installed; malware that enables a playload suitable for the attacker must be downloaded while the operating system is running.

In most cases, however, the MosaicRegressor components were delivered to the victims with far less sophisticated measures - for example via spear phishing, in which a dropper was hidden in an archive with a decoy file. The multi-module structure of the framework allowed the attackers to hide the broader framework from analysis and deploy components to target computers only when needed. The malware originally installed on the infected device is a Trojan downloader. This is a program that can be used to reload additional payload and other malware. Depending on the payload, the malware can download or upload any files to and from any URL and collect information from the target computer.

Attackers target diplomats and NGOs

MosaicRegressor has been used in a number of targeted attacks against diplomats and members of NGOs in Africa, Asia and Europe. Some of the attacks involved spear phishing documents in Russian, while others were linked to North Korea and used as bait to download malware.
So far, the campaign could not be assigned with any certainty to a known APT actor.

"Although UEFI attacks offer great opportunities for threat actors, MosaicRegressor is the first publicly known case in which a threat actor has used bespoke, malicious UEFI firmware in the wild," said Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT ) from Kaspersky. “Previously known attacks have repurposed and reused legitimate software such as LoJax. This is the first attack in the wild that uses a specially made UEFI boot kit. This attack shows that, in exceptional cases, though rarely, actors are willing to go to great lengths to stay on a victim's device for as long as possible. Threat actors are continually diversifying their toolsets and getting more creative in the way they approach victims - and security vendors should do the same to stay ahead of cybercriminals. Thanks to the combination of our technology and our understanding of current and past campaigns with infected firmware, we can monitor and report future attacks on such targets. "

Threat actors have a clear advantage

"Using leaked third-party source code and adapting it to new advanced malware shows the importance of data security," added Igor Kuznetsov, security researcher at GReAT from Kaspersky. “As soon as software - be it a boot kit, malware or something else - leaks, threat actors have a clear advantage. Because freely available tools offer you the opportunity to further develop and adapt your tool sets with less effort and less likelihood of being recognized. "

More on this at Kaspersky.de

 

About Kaspersky

Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/

 

Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

Solar energy systems – how safe are they?

A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more

New wave of phishing: Attackers use Adobe InDesign

There is currently an increase in phishing attacks that abuse Adobe InDesign, a well-known and trusted document publishing system. ➡ Read more

Stories
, , , ,