Security researchers have come across a UEFI-embedded Trojan capable of harvesting data on infected MS Windows machines. Unlike other popular Тrojans out there, the new threat pierces a hole in the Unified Extensible Firmware Interface (UEFI), thus planting itself deep within the motherboard’s flash memory. As a result, the malware gains sheer persistence on the infected PC, giving it immunity against any antivirus tools. Moreover, the Trojan would not go away even after a clean installation of your MS Windows OS.
The second time hackers have devised a UEFI-tailored piece of malware, it comes two years after the Lojax threat appeared on the horizon in 2018.
The UEFI-based malware served as a backdoor for yet another malicious executable called “IntelUpdate.exe’. The latter aims to deliver additional malware exfiltrate data from infected machines. Moreover, it loads during system startup, knocking you for a loop over and over again. If you removed the .exe file, the UEFI-located Trojan would restore it during the next startup unless you eliminate UEFI's firmware altogether.
Targets & Suspects
So far, most of the registered attacks have targeted diplomatic and non-government organizations presumed to have connections to North Korea in one way or another. Spread across Europe, Asia, and Africa, the victims got the malware through a malicious framework known as MosaicRegressor. A closer examination of the malware linked it to a particular C&C server formerly associated with Winnti, a cybergang supposedly backed by the Chinese authorities. The presence of Chinese symbols within the code itself further supports that theory, as well. Nevertheless, the lack of hard evidence suggests that the claim may be mere speculation rather than a fact.
Origin and Infection Vector
The origin of the UEFI-based malware can be traced back to 2015 when an Italian surveillance technology company known as Hacking Team fell victim to data theft. The data — a project dealing with UEFI-targeted malware attacks — leaked on the web shortly after that incident. However, it is not clear whether the crooks in charge have relied on those data or exploited a different BIOS vulnerability instead. The infection vector, on the other hand, is just as vague. Although victims appear to have received phishing emails from the hackers in question, none of those emails has contained the payload.