MosaicRegressor, attack via UEFI bootkit
Researchers Mark Lechtik and Igor Kuznetsov of Kaspersky discovered a new malicious campaign from China which, through the use of a UEFI bootkit, targeted diplomatic targets in the territories of Europe, Asia, Africa and non-governmental organizations. The goal is to download and install malware on victims' computers in order to steal data and information.
Kaspersky's duo identified the attack, most likely perpetrated by access physical to the computer, after the Firmware Scanner tool of the software house has labeled two computers as "suspicious". From the subsequent analysis it emerged that the malicious code was prepared to run an autorun process at each start, baptized MosaicRegressor and capable of downloading malware.
According to what has emerged so far, one of the malicious actions carried out consists in peeking through recent documents opened by the user, then compressing them in a password protected archive, almost certainly with the aim of sending them to a server remote through another component. All the targets identified have some connection with North Korea or operate activities in the country controlled by Kim Jong-un.
The verification of the code of MosaicRegressor has also brought to light several similarities with that of VectorEDK, a utility already known to insiders as a tool for compromising UEFI firmware and created by Hacking Team, an Italian group based in Milan that many will remember, protagonist a few years ago in a story that also saw local authorities intervene.
Source: Kaspersky (PDF)
UEFI bootkit, MosaicRegressor: diplomats in the crosshairs
Being the firmware UEFI a component of crucial importance, placed directly in the motherboard and in control of each hardware component and responsible for loading the software platform, it is not difficult to understand why an action capable of tampering or altering it can result in a very high and difficult risk to get out of the way. Such a threat can withstand even a fresh installation of the operating system. Something similar was discovered in 2018 by ESET: then the responsibility was attributed to Fancy Bear, a group believed to be close to the Russian government.Kaspersky's duo identified the attack, most likely perpetrated by access physical to the computer, after the Firmware Scanner tool of the software house has labeled two computers as "suspicious". From the subsequent analysis it emerged that the malicious code was prepared to run an autorun process at each start, baptized MosaicRegressor and capable of downloading malware.
According to what has emerged so far, one of the malicious actions carried out consists in peeking through recent documents opened by the user, then compressing them in a password protected archive, almost certainly with the aim of sending them to a server remote through another component. All the targets identified have some connection with North Korea or operate activities in the country controlled by Kim Jong-un.
The verification of the code of MosaicRegressor has also brought to light several similarities with that of VectorEDK, a utility already known to insiders as a tool for compromising UEFI firmware and created by Hacking Team, an Italian group based in Milan that many will remember, protagonist a few years ago in a story that also saw local authorities intervene.
Source: Kaspersky (PDF)