Dangerous UEFI Firmware Bootkit Puts PCs Users Under Threat Of Persistent Attacks
When someone thinks of malware, the usual thought is an EXE file containing offending code that is downloaded to a target machine and executed by the user. However, a team at SecureList is trying to make people aware that an incredibly persistent malware framework can exist within a PC's UEFI firmware. The team, consisting of Mark Lechtik, Igor Kuznetsov, and Yury Parshin, found that a malware framework in the UEFI was used “in a series of targeted attacks pointed towards diplomats and members of an NGO from Africa, Asia, and Europe, all showing ties in their activity to North Korea.”
UEFI attacks are not necessarily new, but they are not often seen in the wild. As the SecureList team puts it, you do not see these attacks “due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.” If these sorts of attacks are used, however, the persistence is perfect for malicious actors. Malware can be injected during the boot phase or while the operating system (OS) is running. Furthermore, the UEFI firmware will not be wiped if a user notices something odd on their machine. Typically, they would only wipe the OS and call it a day. In the past, UEFI attacks have been seen with the LowJax implant or hypothetical cases with the open-source VectorEDK bootkit. VectorEDK is particularly interesting as the team said they “hadn’t witnessed actual evidence of it in the wild” until now.
Upon investigating some suspicious UEFI firmware images, they found that there were components based on the VectorEDK bootkit with some customization included. A set of four modules would complete their work by creating an executable in the Startup folder of a Windows machine, thus automatically launching the malicious software. If you were to remove the malicious executable, it would be recreated because it is being baked in the firmware, which cannot be removed without specifically wiping it.
In this case, the framework and malware it deployed were dubbed MosaicRegressor, used for espionage and data collection. Between 2017 and 2019, “victims included diplomatic entities and NGOs in Africa, Asia and Europe.” All of these victims also had some connection to North Korea through their organizations. This sort of attack is not random, though. It is expected that the infection came through physical access to the machine or in extremely targeted payloads through documents pertaining to North Korea. It is also presumed the attacks were “conducted by a Chinese-speaking actor” with several cases of evidence to support the claim.
At the SecureList team explains, the “attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine.” This sort of attack, while rare, is certainly possible, so security companies and individuals need to be aware of it. If you are concerned about compromised UEFI, you can read more of the post here.