Meet MosaicRegressor a UEFI boot-kit that illustrates how far attackers will go

Share on facebook
Share on twitter
Share on linkedin
Share on email

Before your PC boots up and into Windows it runs something called UEFI. Many years ago this was known as BIOS (basic input/output system) but the functionality has evolved to the newer UEFI.

Much like BIOS, UEFI starts running before an operating system does and it helps you know if everything is running correctly. But what if that process was compromised?

This week Kaspersky alerted us to a new piece of malware that embeds itself in the UEFI as a boot-kit meaning that no matter how often you restart your PC, the malware persists.

According to Kaspersky, the boot-kit’s components bear a resemblance to the Vector-EDK boot-kit developed by Hacking Team which had its source-code leaked online five years ago.

The firm has dubbed the malware, MosaicRegressor.

“Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publically known case where a threat actor used a custom made, malicious UEFI firmware in the wild. Previously known attacks observed in the wild simply repurposed legitimate software (for instance, LoJax), making this the first in the wild attack leveraging a custom made UEFI bootkit. This attack demonstrates that, albeit rarely, in exceptional cases actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine,” said senior security researcher at Kaspersky’s Global Research and Analysis Team, Mark Lechtik.

So how does this malware get on to your PC?

As of time of writing Kaspersky suspects the best vector is through physical access to a machine armed with a bootable USB drive that contains modified firmware. Once patched another piece of malware could be installed for the attacker to use when they system is up and running.

However, the malware could also be delivered through a spear-phishing attack but Kaspersky’s logs show no sign of this happening.

“Threat actors continue to diversify their toolsets and become more and more creative with the ways they target victims – and so should security vendors, in order to stay ahead of the perpetrators. Thankfully, the combination of our technology and understanding of the current and past campaigns leveraging infected firmware helps us monitor and report on future attacks against such targets,” said Lechtik.

What makes this malware so dangerous is that it could be downloading malware to your PC without you knowing at all,

“The fact that the framework consists of multiple modules assists the attackers to conceal the wider framework from analysis, and deploy components to target machines only on demand. Indeed, we were able to obtain only a handful of payload components during our investigation,” wrote Kaspersky in its research.

This sounds like an awful lot of work for an attacker especially if they have to physically be near a machine to compromise it.

The good news is that some security solutions are able to detect when firmware is being manipulated. Kaspersky points to its own business security solution here (as it would) but if you prefer a different vendor look out for software solutions that guard against firmware attacks.

More importantly, download your UEFI updates directly from trusted vendors and train your staff to look out for suspicious files or indeed people.

You can read more about MosaicRegressor here.

[Image – CC 0 Pixabay]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.