MosaicRegressor represents only the second time that the UEFI rootkit has been observed to be deployed in the wild. UEFI stands for Unified Extensible Firmware Interface and is a truly juicy target for malware operators because it is installed on a Serial Peripheral Interface Bus (SPI) flash storage that is soldered to the computer's motherboard directly. As a result, any malware that exploits it will achieve tremendous persistence on the compromised system, as it will not be modified by the reinstallation of the OS or any changes to the hard drives.
The name MosaicRegressor was given to this UEFI rootkit by the researchers who first discovered it. According to their findings, MosaicRegressor was not built from scratch. Instead, the hackers took the code of Hacking Team's VectorEDK bootkit, which was leaked back in 2015, and modified it heavily. The cybercriminals created a rather complex framework for the activities of the rootkit. It incorporates multiple downloaders and several intermediate loaders before the final payload modules are dropped on the compromised system. The sophisticated structure and the fact that the corrupted modules are executed only upon receiving the appropriate command from the hackers create significant obstacles for the analyses of the rootkit. Nevertheless, security researchers were able to determine that one particular module was responsible for collecting, archiving, and then exfiltrating any data found in the Recent Documents folder.
The Victims Of MosaicRegressor Share North Korean Connection
Entities from several different continents appear to be among the victims of MosaicRegressor. The rootkit was found on computers of several Non-Governmental Organizations (NGOs) and diplomatic entities located in Europe, Africa, and Asia for the two years between 2017 and 2019. The only common thread between the victims that the cybersecurity researchers were able to find is their location being North Korea. All affected organizations were present in the country or conducting non-profit activities related to it. In fact, one of the attack vectors employed by the hackers was to distribute poisoned SFX files disguised as documents discussing various North Korean-related subjects.