Mosaic Regressor ! Uefi rootkit in to lime light

Computers are made up of multiple components – both software and hardware, each with its own complexity. One such component happens to be the Unified Extensible Firmware Interface (UEFI) resides in mother board.

This naturally grants it access to the entire system as by default and starts running at the very start when a computer is turned on. However, being so important, it is also equally difficult for it to be infected by malware.

The researchers claims malware is in the form of a “compromised UEFI firmware image” with an implant that installs additional malware on the victim devices.

Found using Firmware Scanner; the malware has been linked to a larger framework that has been named MosaicRegressor, targets the diplomats

The researchers believed that the perpetrators behind the malware campaign are linked to the Democratic Republic of North Korea (DPRK). But on the other hand, some parts of the malware also point to the possibility that a Chinese attackers has a hand

Initially, the malware was found on the computer systems of 2 diplomats based in Asia. According to researchers, the malware works by placing a file named “IntelUpdate.exe” to the startup folder in Windows which basically contains all the files that are run as soon as a computer starts.

On the other hand, if the aforementioned executable is removed somehow, the malware automatically re-writes it maintaining persistence access to the victim’s machine. One of its functions includes stealing documents from the victim’s computer and transmitting it via a C2 server through the use of a library named “load.rem”.

One option is through physical access to the victim’s machine. This could be partially based on Hacking Team’s leaked material, according to which the installation of firmware infected with VectorEDK requires booting the target machine from a USB key. Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. They found Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well.

This remains a rare attack in the cybersecurity world and it is no surprise that many professions would have found themselves unprepared for it. For the future, it is important to realize that such attacks may become more mainstream and so further research is needed to protect against it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s