A Chinese hacking team has been observed using a UEFI bootkit to download and install additional malware on targeted computers.
UEFI firmware is a critical component for any computer. This critical firmware in a flash drive is "screwed" to the motherboard and controls all the components of the computer hardware and helps boot the actual operating system (such as Windows, Linux, macOS, etc.).
Attacks on UEFI firmware are the target of any hacking team, as the introduction of malicious code here allows the operating system to be reinstalled.
However, despite these benefits, attacks on UEFI firmware are rare because violating this component is particularly difficult, as attackers either need physical access to the device or have to compromise targets through complex supply chain attacks where UEFI firmware or tools running the UEFI firmware are modified to enter malicious code.
Speaking at the SAS Virtual Security Conference, Kaspersky Security researchers said they had identified the second known case of a widespread attack leading to malicious code implanted in UEFI.
The first, unveiled by ESET in 2018, is supposed to have taken place by Fancy Bear, one of Russia's state-funded groups. The second is a work of Chinese hackers, says Kaspersky.
The company said it discovered the attacks after two computers were identified by the company's Firmware Scanner as suspects.
In a speech today, Kaspersky researchers Mark Lechtik and Igor Kuznetsov said they had investigated the labeled systems and found malicious code inside the UEFI firmware. This code, they said, was designed to install a malicious application (as an autopilot) after each computer startup.
This original autopilot served as a download for other malware components, which Kaspersky named as part of the MosaicRegressor malware.
Kaspersky said it had not yet acquired and analyzed all the components of MosaicRegressor, but that what it tested contained functionality for collecting all documents from the Recent Documents folder and placing them in a password-protected file - it was probably preparing files for exfiltration through another component.
The researchers said they found the UEFI bootkit on only two systems, but found the MosaicRegressor components on many others. computers.
But Kasperksy made another breakthrough during the analysis of these attacks. The malicious code UEFI was not new. According to their analysis, the code was based on VectorEDK, which is a hacking utility for attacks on "UEFI firmware", created by the Italian "HackingTeam".