Security researchers at Kaspersky have discovered a rootkit in the wild that infects UEFI (Unified Extensible Firmware Interface) firmware, which is basically the modern day BIOS. This is only the second time they have observed malicious UEFI firmware in use by a threat actor in the wild. In this case, by way of targeted attacks against non-government organizations (NGOs) in Africa, Asia, and Europe.
Rootkits are also highly resilient to traditional detection and removal methods. By infecting the UEFI, malware can load while the PC is being initialized, before the operating system and any antivirus software has a chance to step in and thwart any malicious activity. But that is only part of the problem. Because rootkits reside in the BIOS/UEFI, a PC remains infected even if going nuclear and reinstalling the OS, or swapping out the storage drive entirely.
Kaspersky has named this particular rootkit strain MosaicRegressor. It was discovered during an investigation of several suspicious UEFI firmware images. Kaspersky found that several components of the rootkit were based on leaked source code of HackingTeam's VectorEDK bootkit, with some minor modifications and modules added into the mix.
"The goal of these added modules is to invoke a chain of events that would result in writing a malicious executable named ‘IntelUpdate.exe’ to the victim’s Startup folder. Thus, when Windows is started the written malware would be invoked as well. Apart from that, the modules would ensure that if the malware file is removed from the disk, it will be rewritten," Kaspersky says.
Kaspersky is not entirely sure how exactly MosaicRegressor found its way into the wild. One possibility is by an attacker having physical access to a target PC, and installing it from a USB flash drive.
Best CPU for gaming (opens in new tab): the top chips from Intel and AMD
Best graphics card (opens in new tab): your perfect pixel-pusher awaits
Best SSD for gaming (opens in new tab): get into the game ahead of the rest
"Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well," Kaspersky says.
While that would be the most straightforward way, Kaspersky has not ruled out the possibility of a remote attack, "perhaps through a compromised update mechanism." There is no evidence to suggest this actually occurred, but it is a possibility nonetheless.
While the typical user probably does not need to worry about MosaicRegressor, it is still a bit concerning that it exists, especially if it does come to light that it spread through remote means. This could embolden attackers to focus on similar attacks. In theory, anyway. In practice, malware actors are, for the most part, likely to stick with tried and trued methods, such as ransomware.
Thanks, Bleeping Computer (opens in new tab)