Kaspersky has discovered a new firmware boot kit in the wild. It is based on the Hacking Team's Toolkit. It has been used to attack diplomats and members of NGOs in Europe, Africa and Asia.
Kaspersky researchers have uncovered an Advanced Persistent Threat (APT) espionage campaign that uses a firmware boot kit. The malware was detected by Kaspersky's UEFI / BIOS scanning technology, which can also detect unknown threats. The scanning technology identified previously unknown malware in the Unified Extensible Firmware Interface (UEFI), an essential part of every modern computing device today, making it very difficult to detect infected devices and remove the malware from them. The malware's UEFI boot kit is a customized version of the Hacking Team boot kit that was leaked in 2015.
UEFI firmware can contain malicious code
The UEFI firmware is an integral part of a computer that runs before the operating system and any programs installed in it. If the UEFI firmware contains malicious code, this code is started before the operating system so that it may not be recognized by security solutions. Because of this, and because the firmware is on a flash chip that is separate from the hard drive, attacks against UEFI are extremely persistent and difficult to remove. A firmware infection essentially means that no matter how often the operating system has been reinstalled, the malware contained in the boot kit remains on the device.
Kaspersky researchers found such UEFI malware as part of a campaign in which variants of a complex, multi-level modular framework called MosaicRegressor were made available. The framework has been used for espionage and data collection, with the UEFI malware being part of the methods to anchor itself on the system.
Vector EDK boot kit served as a template
The UEFI bootkit components are heavily based on the 'Vector-EDK' bootkit developed by Hacking Team, whose source code was leaked in 2015. This most likely allowed the attackers to create their own software with little development effort and detection risk.
The attacks were detected using the firmware scanner, which has been included in Kaspersky products since the beginning of 2019. The technology is specifically designed to detect threats hiding in the ROM BIOS - including UEFI firmware images.
Infection vector unknown
While it was not possible to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware, Kaspersky researchers were able to draw conclusions on how to do this based on information about VectorEDK from leaked Hacking Team documents could. One possibility would be that infection was possible through physical access to the victim's computer. This could have happened using a bootable USB stick that contained a special update utility. The patched firmware would then have enabled a Trojan downloader to be installed; malware that enables a playload suitable for the attacker must be downloaded while the operating system is running.
In most cases, however, the MosaicRegressor components were delivered to the victims with far less sophisticated measures - for example via spear phishing, in which a dropper was hidden in an archive with a decoy file. The multi-module structure of the framework allowed the attackers to hide the broader framework from analysis and deploy components to target computers only when needed. The malware originally installed on the infected device is a Trojan downloader. This is a program that can be used to reload additional payload and other malware. Depending on the payload, the malware can download or upload any files to and from any URL and collect information from the target computer.
Attackers target diplomats and NGOs
MosaicRegressor has been used in a number of targeted attacks against diplomats and members of NGOs in Africa, Asia and Europe. Some of the attacks involved spear phishing documents in Russian, while others were linked to North Korea and used as bait to download malware.
So far, the campaign could not be assigned with any certainty to a known APT actor.
"Although UEFI attacks offer great opportunities for threat actors, MosaicRegressor is the first publicly known case in which a threat actor has used bespoke, malicious UEFI firmware in the wild," said Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT ) from Kaspersky. “Previously known attacks have repurposed and reused legitimate software such as LoJax. This is the first attack in the wild that uses a specially made UEFI boot kit. This attack shows that, in exceptional cases, though rarely, actors are willing to go to great lengths to stay on a victim's device for as long as possible. Threat actors are continually diversifying their toolsets and getting more creative in the way they approach victims - and security vendors should do the same to stay ahead of cybercriminals. Thanks to the combination of our technology and our understanding of current and past campaigns with infected firmware, we can monitor and report future attacks on such targets. "
Threat actors have a clear advantage
"Using leaked third-party source code and adapting it to new advanced malware shows the importance of data security," added Igor Kuznetsov, security researcher at GReAT from Kaspersky. “As soon as software - be it a boot kit, malware or something else - leaks, threat actors have a clear advantage. Because freely available tools offer you the opportunity to further develop and adapt your tool sets with less effort and less likelihood of being recognized. "
More on this at Kaspersky.de
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/