Tuesday, October 27, 19:08
Home security Chinese team uses UEFI bootkit to spread malware

Chinese team uses UEFI bootkit to spread malware

A Chinese hacking team has been observed using a UEFI bootkit to download and install additional malware on targeted computers.

UEFI firmware is a critical component for any computer. This critical firmware in a flash drive is "screwed" to the motherboard and controls all the components of the computer hardware and helps boot the actual operating system (such as Windows, Linux, macOS, etc.).

UEFI malware

Attacks on UEFI firmware are the target of any hacking team, as the introduction of malicious code here allows the operating system to be reinstalled.

However, despite these benefits, attacks on UEFI firmware are rare because violating this component is particularly difficult, as attackers either need physical access to the device or have to compromise targets through complex supply chain attacks where UEFI firmware or tools running the UEFI firmware are modified to enter malicious code.

Speaking at the SAS Virtual Security Conference, Kaspersky Security researchers said they had identified the second known case of a widespread attack leading to malicious code implanted in UEFI.

The first, unveiled by ESET in 2018, is supposed to have taken place by Fancy Bear, one of Russia's state-funded groups. The second is a work of Chinese hackers, says Kaspersky.

The company said it discovered the attacks after two computers were identified by the company's Firmware Scanner as suspects.

In a speech today, Kaspersky researchers Mark Lechtik and Igor Kuznetsov said they had investigated the labeled systems and found malicious code inside the UEFI firmware. This code, they said, was designed to install a malicious application (as an autopilot) after each computer startup.

This original autopilot served as a download for other malware components, which Kaspersky named as part of the MosaicRegressor malware.

Kaspersky said it had not yet acquired and analyzed all the components of MosaicRegressor, but that what it tested contained functionality for collecting all documents from the Recent Documents folder and placing them in a password-protected file - it was probably preparing files for exfiltration through another component.

The researchers said they found the UEFI bootkit on only two systems, but found the MosaicRegressor components on many others. computers.

However, all the targets of these attacks were carefully selected. All were diplomatic entities and NGOs in Africa, The Asia and Europe.

But Kasperksy made another breakthrough during the analysis of these attacks. The malicious code UEFI was not new. According to their analysis, the code was based on VectorEDK, which is a hacking utility for attacks on "UEFI firmware", created by the Italian "HackingTeam".


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.



Data breach in a law firm exposes data of Google employees

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, LLP revealed that it suffered a data breach that led to the leakage of personal data ...

How to install a .watchface file on Apple Watch

The Apple Watch lets you customize the faces of the watch to display all kinds of useful information. But did you know ...

The five biggest data breaches of the 21st century

Data is becoming more and more sought after as our daily lives become more digitized. The technology giants that monopolize data are ...

Microsoft is limiting the availability of Windows 10 20H2

Microsoft is currently restricting the availability of Windows 10 20H2 to provide all users who want to ...

How to enable the new Chrome Read more feature

The latest version of Google Chrome browser, v86, released earlier this month, contains a secret feature called Read ...

How to choose a custom color for the Start menu

Starting with the October 2020 update, Windows 10 is the default on a theme that removes bright colors from ...

NASA telescope discovers drinking water on the moon

Eleven years ago, a spacecraft changed our view of the moon forever. The data collected by ...

Microsoft: Enhances password spray attack detection capabilities

Microsoft has significantly improved the ability to detect password spray attacks in the Azure Active Directory (Azure AD) and has reached the point ...

How to prevent companies from finding our phone number

In the age of advertising, the more user information is known the more convenient it is for companies. And in particular, the ...

Violation in a psychotherapy clinic led to blackmail of patients

Two years ago, a cyber attack took place in a Finnish psychotherapy clinic, which resulted in data theft and ransom demand. Now,...