Kaspersky researchers
have uncovered an advanced persistent threat (APT) espionage campaign
that uses a very rarely seen type of malware known as a firmware
bootkit. The new malware was detected by Kaspersky's UEFI / BIOS
scanning technology, which detects known and unknown threats. The
scanning technology identified a previously unknown malware in the
Unified Extensible Firmware Interface (UEFI), an essential part of any
modern computer device, making it very difficult to detect and remove
from the infected devices. The UEFI bootkit used with the malware is a
custom version of Hacking Team's bootkit, leaked in 2015.
UEFI
firmware is an essential part of a computer, which starts running
before the operating system and all the programs installed in it. If
UEFI firmware is somehow modified to contain malicious code, that code
will be launched before the operating system, making its activity
potentially invisible to security solutions. This, and the fact that the
firmware itself resides on a flash chip separate from the hard drive,
makes attacks against UEFI exceptionally evasive and persistent. The
infection of the firmware essentially means that, regardless of how many
times the operating system has been reinstalled, the malware planted by
the bootkit will stay on the device.
Kaspersky
researchers found a sample of such malware used in a campaign that
deployed variants of a complex, multi-stage modular framework dubbed
MosaicRegressor. The framework was used for espionage and data gathering
with UEFI malware being one of the persistence methods for this new,
previously unknown malware.
The revealed UEFI bootkit components were based heavily on the ‘Vector-EDK' bootkit developed by Hacking Team,
the source code of which was leaked online in 2015. The leaked code
most likely allowed perpetrators to build their own software with little
development effort and diminished risk of exposure.
The attacks were found with the help of Firmware Scanner,
which has been included in Kaspersky products since the beginning of
2019. This technology was developed to specifically detect threats
hiding in the ROM BIOS, including UEFI firmware images.
While
it was not possible to detect the exact infection vector that allowed
the attackers to overwrite the original UEFI firmware, Kaspersky
researchers deduced one option for how it could be done, based on what
is known about VectorEDK from leaked Hacking Team documents. These
suggest, without excluding other options, that infections might have
been possible through physical access to the victim's machine,
specifically with a bootable USB key, which would contain a special
update utility. The patched firmware would then facilitate the
installation of a Trojan downloader, malware that enables any payload
suitable for the attacker's needs, to be downloaded when the operating
system is up and running.
In
the majority of cases, however, MosaicRegressor components were
delivered to victims using far less sophisticated measures, such as
spearphishing delivery of a dropper, hidden in an archive, together with
a decoy file. The multiple modules structure of the framework enabled
the attackers to conceal the wider framework from analysis, and deploy
components to target machines on demand only. The malware initially
installed on the infected device is a Trojan-downloader, a program
capable of downloading additional payload and other malware. Depending
on the payload downloaded, the malware could download or upload
arbitrary files from/to arbitrary URLs and gather information from the
targeted machine.
Based
on the affiliation of the discovered victims, the researchers were able
to determine that MosaicRegressor was used in a series of targeted
attacks aimed at diplomats and members of NGOs from Africa, Asia and
Europe. Some of the attacks included spearphishing documents in the
Russian language, while some were related to North Korea and used as a
lure to download malware.
The campaign has not been linked with confidence to any known advanced persistent threat actors.
"Although
UEFI attacks present wide opportunities to the threat actors,
MosaicRegressor is the first publically known case where a threat actor
used a custom made, malicious UEFI firmware in the wild," said Mark
Lechtik, senior security researcher at Global Research and Analysis Team
(GReAT) at Kaspersky. "Previously known attacks observed in the wild
simply repurposed legitimate software (for instance, LoJax), making this
the first in the wild attack leveraging a custom made UEFI bootkit.
This attack demonstrates that, albeit rarely, in exceptional cases,
actors are willing to go to great lengths in order to gain the highest
level of persistence on a victim's machine. Threat actors continue to
diversify their toolsets and become more and more creative with the ways
they target victims - and so should security vendors, in order to stay
ahead of the perpetrators. Thankfully, the combination of our technology
and understanding of the current and past campaigns leveraging infected
firmware helps us monitor and report on future attacks against such
targets."
"The
use of leaked third-party source code and its customization into a new
advanced malware once again raises yet another reminder of the
importance of data security," said Igor Kuznetsov, principal security
researcher at Kaspersky's GReAT. "Once software - be it a bootkit,
malware or something else - is leaked, threat actors gain a significant
advantage. Freely available tools provide them with an opportunity to
advance and customize their toolsets with less effort and lower chances
of being detected."
A more detailed analysis of the MosaicRegressor framework and its components will be presented on Securelist.
Register
for SAS@Home to watch the presentation about MosaicRegressor and learn
more about APTs and top-level cybersecurity discoveries here: https://kas.pr/tr59
In order to stay protected from threats such as MosaicRegressor, Kaspersky recommends: