Second-ever UEFI rootkit used in North Korea-themed attacks

A China-linked threat actor used UEFI malware based on code from Hacking Team in attacks aimed at organizations with an interest in North Korea.

Researchers from Kaspersky have spotted a UEFI malware that was involved in attacks on organizations with an interest in North Korea.

The experts were investigating several suspicious UEFI firmware images when discovered four components, some of which were borrowing the source code a Hacking Team spyware.

In 2015, the hacker who breached the systems of the Italian surveillance firm Hacking Team leaked a 400GB package containing hacking tools and exploits codes. The archive included a number of zero-day exploits for Adobe Flash Player and Microsoft IE, these codes are just part of the hacking arsenal of the surveillance firm, which developed the popular Remote Control System (RCS) spyware, also known as Galileo. RCS has a modular structure that allows it to compromise several targets by loading the necessary zero-day exploits.

Trend Micro was the first security firm to discover the availability of a UEFI BIOS rootkit in the arsenal of the Hacking Team that allowed the company’s spyware to ensure the persistence even if the victims had formatted their hard disk to reinstall the Operating System.

“Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.” stated Trend Micro.

The firmware malware is based on code associated with HackingTeam’s VectorEDK bootkit, with minor changes.

Experts revealed that they were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware.

Experts speculate that the threat actors need to have physical access in order to deploy the implant into the victim’s machine.  However, researchers don’t exclude that a rogue firmware was pushed remotely through a supply chain attack. 

“Of course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don’t have any evidence to support it,” reads the analysis published by Kaspersky.

The UEFI implant spotted by Kaspersky was used to deploy a new piece of malware that experts classified as a variant derived from a wider framework that they tracked as MosaicRegressor.

The MosaicRegressor framework was developed for cyber espionage purposes, its modular architecture allows operators to perform multiple actions.

Kaspersky researchers revealed to have found MosaicRegressor components at several dozen entities between 2017 and 2019. The list of victims included NGOs and diplomatic entities in Asia, Africa and Europe.

Researchers speculate the threat actors behind these attacks are linked with the Winnti APT.

“The attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine. It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.” concludes the report.

“With this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UEFI)

[adrotate banner=”5″]

[adrotate banner=”13″]