Control-Alt-Can’t delete: customised firmware bootkit found in the wild
October 2020 by Kaspersky
Kaspersky’s researchers uncovered an advanced persistent threat (APT) espionage campaign that uses a very rarely seen type of malware known as a firmware bootkit. The new malware was detected by Kaspersky’s UEFI / BIOS scanning technology, which detects known and unknown threats. The scanning technology identified a previously unknown malware in the Unified Extensible Firmware Interface (UEFI), an essential part of any modern computer device, making it very difficult to detect and remove from the infected devices. The UEFI bootkit used with the malware is a custom version of Hacking Team’s bootkit, leaked in 2015.
UEFI firmware is an essential part of a computer, which starts running before the operating system and all the programs installed in it. If UEFI firmware is somehow modified to contain malicious code, that code will be launched before the operating system, making its activity potentially invisible to security solutions. This, and the fact that the firmware itself resides on a flash chip separate from the hard drive, makes attacks against UEFI exceptionally evasive and persistent – the infection of the firmware essentially means that regardless of how many times the operating system has been reinstalled, the malware planted by the bootkit will stay on the device.
Kaspersky researchers found a sample of such malware used in a campaign that deployed variants of a complex, multi-stage modular framework dubbed as MosaicRegressor. The framework was used for espionage and data gathering with UEFI malware being one of the persistence methods for this new, previously unknown malware.
The revealed UEFI bootkit components were based heavily on the ‘Vector-EDK’ bootkit developed by Hacking Team and which source code was leaked online in 2015. The leaked code most likely allowed perpetrators to build their own software with little development effort and diminished risk of exposure. The attacks were found with the help of Firmware Scanner, which has been included in Kaspersky products since the beginning of 2019. This technology was developed to specifically detect threats hiding in the ROM BIOS, including UEFI firmware images.
While it was not possible to detect the exact infection vector that allowed the attackers to overwrite the original UEFI firmware, Kaspersky researchers deduced one option of how it could be done based on what is known about VectorEDK from leaked Hacking Team documents. These suggest, without excluding other options, that infections might have been possible through physical access to the victim’s machine, specifically with a bootable USB key, which would contain a special update utility. The patched firmware would then facilitate the installation of a Trojan downloader – malware that enables any payload suitable for the attacker’s needs to be downloaded when the operating system is up and running.
In the majority of cases, however, MosaicRegressor components were delivered to victims using far less sophisticated measures, such as spearphishing delivery of a dropper hidden in an archive together with a decoy file. The multiple modules structure of the framework enabled the attackers to conceal the wider framework from analysis, and deploy components to target machines on demand only. The malware initially installed on the infected device is a Trojan-downloader, a program capable of downloading additional payload and other malware. Depending on the payload downloaded, the malware could download or upload arbitrary files from/to arbitrary URLs and gather information from the targeted machine.
Based on the affiliation of the discovered victims, the researchers were able to determine that MosaicRegressor was used in a series of targeted attacks aimed at diplomats and members of NGOs from Africa, Asia and Europe. Some of the attacks included spearphishing documents in the Russian language, while some were related to North Korea and used as a lure to download malware. The campaign has not been linked with confidence to any known advanced persistent threat actors.
Examples of lure documents bundled to malicious archives sent to MosaicRegressor victims
“Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publically known case where a threat actor used a custom made, malicious UEFI firmware in the wild. Previously known attacks observed in the wild simply repurposed legitimate software (for instance, LoJax), making this the first in the wild attack leveraging a custom made UEFI bootkit. This attack demonstrates that, albeit rarely, in exceptional cases actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine. Threat actors continue to diversify their toolsets and become more and more creative with the ways they target victims – and so should security vendors, in order to to stay ahead of the perpetrators. Thankfully, the combination of our technology and understanding of the current and past campaigns leveraging infected firmware helps us monitor and report on future attacks against such targets, ” comments Mark Lechtik, senior security researcher at Global Research and Analysis Team (GReAT) at Kaspersky. “The use of leaked third-party source code and its customization into a new advanced malware once again raises yet another reminder of the importance of data security. Once software – be it a bootkit, malware or something else — is leaked, threat actors gain a significant advantage. Freely available tools provide them with an opportunity to advance and customize their toolsets with less effort and lower chances of being detected,” comments Igor Kuznetsov, principal security researcher at Kaspersky’s GReAT.
In order to stay protected from threats such as MosaicRegressor, Kaspersky recommends:
• Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
• For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
• Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
• Use a robust endpoint security product that can detect the use of firmware, such as Kaspersky Endpoint Security for Business.
• Regularly update your UEFI firmware and only purchase firmware from trusted vendors.