Computers are made up of multiple components – both software and hardware, each with its own complexity. One such component happens to be the Unified Extensible Firmware Interface (UEFI) which is the software that is installed on a computer’s motherboard.
This naturally grants it access to the entire system as by default and starts running at the very start when a computer is turned on. However, being so important, it is also equally difficult for it to be infected by malware.
Despite this, a recent report by Kaspersky suggests that a UEFI based malware has been found – the second of its kind ever known publicly.
According to the researchers, the malware is in the form of a “compromised UEFI firmware image” with an implant that installs additional malware on the victim devices.
Found using Firmware Scanner; a product from Kaspersky, the malware has been linked to a larger framework that has been named MosaicRegressor. Its targets included diplomats and NGO members across 3 continents: namely Africa, Asia, and Europe from 2017 to 2019.
The researchers believed that the perpetrators behind the malware campaign are linked to the Democratic Republic of North Korea (DPRK). But on the other hand, some parts of the malware also point to the possibility that a Chinese attacker may be the culprit here.
Initially, the malware was found on the computer systems of 2 diplomats based in Asia. According to researchers, the malware works by placing a file named “IntelUpdate.exe” to the startup folder in Windows which basically contains all the files that are run as soon as a computer starts.
On the other hand, if the aforementioned executable is removed somehow, the malware automatically re-writes it maintaining persistence access to the victim’s machine. One of its functions includes stealing documents from the victim’s computer and transmitting it via a C2 server through the use of a library named “load.rem”.
However, there is no confirmation as to how the original UEFI tampered in the first place. Therefore, this remains a speculative affair, to say the least. A possibility mentioned by the researchers in addition to a remote attack is the following:
One option is through physical access to the victims machine. This could be partially based on Hacking Teams leaked material, according to which the installation of firmware infected with VectorEDK requires booting the target machine from a USB key. Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well.
To conclude, this remains a rare attack in the cybersecurity world and it is no surprise that many professions would have found themselves unprepared for it. For the future, it is important to realize that such attacks may become more mainstream and so further research is needed to protect against it.