June 9, 2023

Computers are made up of multiple components – both software and hardware, each with its own complexity. One such component happens to be the Unified Extensible Firmware Interface (UEFI) resides in mother board.

This naturally grants it access to the entire system as by default and starts running at the very start when a computer is turned on. However, being so important, it is also equally difficult for it to be infected by malware.

The researchers claims malware is in the form of a “compromised UEFI firmware image” with an implant that installs additional malware on the victim devices.

Found using Firmware Scanner; the malware has been linked to a larger framework that has been named MosaicRegressor, targets the diplomats

The researchers believed that the perpetrators behind the malware campaign are linked to the Democratic Republic of North Korea (DPRK). But on the other hand, some parts of the malware also point to the possibility that a Chinese attackers has a hand

Initially, the malware was found on the computer systems of 2 diplomats based in Asia. According to researchers, the malware works by placing a file named “IntelUpdate.exe” to the startup folder in Windows which basically contains all the files that are run as soon as a computer starts.

On the other hand, if the aforementioned executable is removed somehow, the malware automatically re-writes it maintaining persistence access to the victim’s machine. One of its functions includes stealing documents from the victim’s computer and transmitting it via a C2 server through the use of a library named “load.rem”.

One option is through physical access to the victim’s machine. This could be partially based on Hacking Team’s leaked material, according to which the installation of firmware infected with VectorEDK requires booting the target machine from a USB key. Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. They found Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well.

This remains a rare attack in the cybersecurity world and it is no surprise that many professions would have found themselves unprepared for it. For the future, it is important to realize that such attacks may become more mainstream and so further research is needed to protect against it.

Tags:

Leave a Reply

Related Post

Windows 11 Mandates TPM

Windows 11 Mandates TPM

June 26, 2021
Dell Bios Under Massive Attack

Dell Bios Under Massive Attack

June 24, 2021

You may have missed

ACT Government Victim of Barracuda ESG Vulnerability

ACT Government Victim of Barracuda ESG Vulnerability

June 9, 2023
Anonymous Sudan Claims Responsible for Outlook Outages

Anonymous Sudan Claims Responsible for Outlook Outages

June 9, 2023
Visual Studio Bug Results in Takeover

Visual Studio Bug Results in Takeover

June 8, 2023
Cisco Fixes Secure Client Security Flaw

Cisco Fixes Secure Client Security Flaw

June 8, 2023
CISA Releases Guidelines on RMM

CISA Releases Guidelines on RMM

June 8, 2023
CrowdStrike Platform Enhancements

CrowdStrike Platform Enhancements

June 8, 2023
%d bloggers like this: