Kaspersky researchers have uncovered an advanced persistent threat (APT) espionage campaign that uses a very rarely seen type of malware known as a firmware bootkit.
The new malware was detected by Kaspersky’s UEFI / BIOS scanning technology, which identified a previously unknown malware in the Unified Extensible Firmware Interface (UEFI), an essential part of any modern computer device, making it very difficult to detect and remove from the infected devices.
UEFI firmware is an essential part of a computer, which starts running before the operating system and all the programs installed in it. If UEFI firmware is somehow modified to contain malicious code, that code will be launched before the operating system, making its activity potentially invisible to security solutions.
This, and the fact that the firmware itself resides on a flash chip separate from the hard drive, makes attacks against UEFI exceptionally evasive and persistent. The infection of the firmware essentially means that, regardless of how many times the operating system has been reinstalled, the malware planted by the bootkit will stay on the device.
Kaspersky researchers found a sample of such malware used in a campaign that deployed variants of a complex, multi-stage modular framework dubbed MosaicRegressor. The framework was used for espionage and data gathering with UEFI malware being one of the persistence methods for this new, previously unknown malware.
The revealed UEFI bootkit components were based heavily on the ‘Vector-EDK’ bootkit developed by Hacking Team, the source code of which was leaked online in 2015. The leaked code most likely allowed perpetrators to build their own software with little development effort and diminished risk of exposure.
According to Kaspersky researchers, infections might have been possible through physical access to the victim’s machine, specifically with a bootable USB key, which would contain a special update utility. The patched firmware would then facilitate the installation of a Trojan downloader.
Based on the affiliation of the discovered victims, the researchers were able to determine that MosaicRegressor was used in a series of targeted attacks aimed at diplomats and members of NGOs from Africa, Asia and Europe.