Kaspersky uncovers second-ever UEFI-based malware attacks

Because UEFI lives within a flash memory chip, any malware injected into it can survive reboots, formats and OS reinstalls

Researchers from Russian antivirus maker Kaspersky claim to have uncovered a second case of a rogue UEFI-based malware, developed by Chinese-speaking hackers to target diplomatic entities in Asia, Africa, and Europe.

The Unified Extensible Firmware Interface (UEFI) is crucial software that resides inside a flash memory chip, soldered to a computer's motherboard. UEFI is the first software to execute when a system boots up, allowing it to access and control all hardware components as well as various parts of the machine's operating system.

Because UEFI lives inside a memory chip, malware injected into it can survive reboots, formats and OS reinstalls, enabling threat actors to maintain their presence on compromised machines for a long time.

Despite these benefits, UEFI firmware attacks are difficult to conduct as attackers either need physical access to the target device or to compromise targets through complex supply chain attacks.

Kaspersky added a firmware scanner into its antivirus products last year, which has now helped to uncover the second known case of UEFI malware.

The first case, reported by ESET researchers in 2018, was allegedly carried out by Russian state-backed hacking group Fancy Bears.

Kaspersky named the new UEFI malware campaign MosaicRegressor, stating that the malicious code was discovered in just two systems belonging to diplomatic officials in Asia.

"According to our telemetry, there were several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019. These victims included diplomatic entities and NGOs in Africa, Asia and Europe. Only two of them were also infected with the UEFI bootkit in 2019, predating the deployment of the BitsReg component," the company said in a blog post.

The UEFI firmware on two flagged systems was found to contain code designed to install a malicious app (autorun programme) after each system restart. The app enabled hackers to download multiple malware modules on the target systems and to steal confidential data.

A detailed analysis of the code revealed that it was based on VectorEDK - a utility developed by 'HackingTeam' to attack UEFI firmware.

Kaspersky attributed the MosaicRegressor attacks to a "Chinese-speaking" group, possibly associated with the Winnti hacking group. The analysis also revealed that all victims in this case had "some connection to the DPRK [North Korea], be it non-profit activity related to the country or actual presence within it".

The company says it was unable to find out exactly how the malicious firmware images were planted into victims' machines.

The latest revelation from Kaspersky comes more than three months after Microsoft said in June that it was adding a UEFI scanner to its Defender Advanced Threat Protection tool (Defender ATP) to help detect firmware attacks.

The company said that if malware is spotted at a firmware level, the user will receive a security alert at their Defender Security Centre. There they can analyse the threat and take appropriate steps to respond to suspicious activity in the system.

Last year, Microsoft had announced a range of Secured-Core PCs with integrated firmware protection, intended for mission-critical users in data-sensitive industries.