An advanced persistent threat (APT) espionage campaign that uses a rare form of malware has been observed attacking diplomats and members of NGOs.
The campaign, which relies on a firmware bootkit, was identified by researchers at Kaspersky who were operating UEFI/BIOS scanning technology. The previously unknown malware was identified in the Unified Extensible Firmware Interface (UEFI).
UEFI firmware is used in all modern computer devices and starts running before the operating system and all the programs installed in it. This, together with the fact that the firmware resides on a flash chip separate from a device’s hard drive, makes the detection of any malware in UEFI firmware very difficult.
“If UEFI firmware is somehow modified to contain malicious code, that code will be launched before the operating system, making its activity potentially invisible to security solutions,” said a Kaspersky spokesperson.
“The infection of the firmware essentially means that, regardless of how many times the operating system has been reinstalled, the malware planted by the bootkit will stay on the device.”
Researchers said the UEFI bootkit used with the malware is a customized version of Hacking Team’s Vector-EDK bootkit, the source code for which was leaked in 2015. It is the first in-the-wild attack leveraging a custom-made UEFI bootkit.
“Once software—be it a bootkit, malware or something else—is leaked, threat actors gain a significant advantage,” said Igor Kuznetsov, principal security researcher at Kaspersky’s GReAT.
“Freely available tools provide them with an opportunity to advance and customize their toolsets with less effort and lower chances of being detected.”
A sample of the bootkit malware was used in a campaign that deployed variants of a complex, multi-stage modular framework dubbed MosaicRegressor that was used for espionage and data gathering.
Based on the affiliation of the victims, researchers determined that MosaicRegressor was used in a series of targeted attacks aimed at diplomats and members of NGOs from Africa, Asia, and Europe.
Though unsure of exactly how the infections occurred, researchers found that they may have been possible through physical access to the victim’s machine, specifically with a bootable USB key, which would contain a special update utility.