[ad_1]
Kaspersky researchers discovered an advanced persistent threat (APT) spy campaign that uses a very little-seen type of malware known as firmware bootkit. The new malware was detected by Kaspersky’s UEFI / BIOS scanning technology, which detects known and unknown threats.
The scanning technology identified previously unknown malware in the Unified Extensible Firmware Interface (UEFI), an essential part of any modern computing device, making it very difficult to detect and remove from infected devices. The UEFI boot kit used with the malware is a customized version of the Hacking Team boot kit, leaked in 2015.
UEFI firmware is an essential part of a computer, which starts running before the operating system and all the programs installed on it. If the UEFI firmware is modified in any way to contain malicious code, that code will be released before the operating system, making its activity potentially invisible to security solutions. This, and the fact that the firmware resides on a separate flash chip on the hard drive, makes attacks against UEFI exceptionally evasive and persistent – firmware infection essentially means that regardless of how many times the operating system has been reinstalled, The malware planted by the bootkit will remain on the device.
Specific Ransomware Groups Detected in Southeast Asia – Kaspersky Expert
Study Finds More Than 4 In 10 WFH Employees At SEA Have A Difficulty Unplugging After Work
Kaspersky researchers found a sample of such malware used in a campaign that implemented variants of a complex multi-stage modular framework called MosaicRegressor. The framework was used for espionage and data collection, with UEFI malware being one of the persistent methods for this previously unknown new malware.
The revealed UEFI boot kit components were largely based on the “Vector-EDK” boot kit developed by Hacking Team and whose source code was leaked online in 2015. The leaked code likely allowed the perpetrators to create their own software. with little development effort and less risk of exposure.
The attacks were found with the help of Firmware Scanner, which has been included in Kaspersky products since early 2019. This technology was developed to specifically detect threats lurking in ROM BIOS, including UEFI firmware images.
While it was not possible to detect the exact infection vector that allowed attackers to overwrite the original UEFI firmware, Kaspersky researchers deduced an option of how this could be done based on what is known about VectorEDK from the leaked documents of the Hacking Team. . These suggest, without excluding other options, that the infections could have been possible through physical access to the victim’s machine, specifically with a bootable USB key, which would contain a special update utility. The patched firmware would make it easier to install a Trojan downloader, malware that allows any payload suitable for the attacker’s needs to be downloaded when the operating system is up and running.
In most cases, however, the MosaicRegressor components were delivered to the victims using much less sophisticated measures, such as handing over a hidden eyedropper in a file along with a decoy file using spoofing. The multi-module structure of the framework allowed attackers to hide the larger framework from analysis and deploy components to target machines only on demand.
The malware initially installed on the infected device is a Trojan downloader, a program capable of downloading additional payloads and other malware.
Depending on the downloaded payload, the malware could download or upload arbitrary files to / from arbitrary URLs and collect information from the target machine.
Based on the affiliation of the discovered victims, investigators were able to determine that MosaicRegressor was used in a series of attacks targeting diplomats and NGO members from Africa, Asia and Europe. Some of the attacks included spearphishing documents in Russian, while others were related to North Korea and were used as a decoy to download malware.
The campaign has not been confidently linked to any known advanced persistent threat actors.
To stay protected from threats like MosaicRegressor, Kaspersky recommends:
- Give your SOC team access to the latest threat intelligence (IT). The Kaspersky Threat Intelligence Portal is a single point of access for enterprise IT, providing data and information on cyberattacks collected by Kaspersky over more than 20 years.
- For endpoint-level detection, investigation, and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
- Provide your staff with basic training in cybersecurity hygiene, as many targeted attacks start with phishing or other social engineering techniques.
- Use a robust endpoint security product that can detect the use of firmware, such as Kaspersky Endpoint Security for Business.
- Update your UEFI firmware regularly and only buy firmware from reputable vendors.
Related
[ad_2]
