Hacking Team Spyware uses a UEFI BIOS Rootkit to gain persistence

Pierluigi Paganini July 15, 2015

Documents leaked online after the Hacking Team hack revealed that the company used a UEFI BIOS rootkit to gain persistence for its spyware software.

The recent data breach suffered by the surveillance firm Hacking Team is shocking the IT security industry, the hackers leaked company emails, source codes and contracts revealing uncomfortable truths.

Security experts mainly focused their analysis on the hacking tools and exploits codes included in the 400GB package leaked online. The archive included a number of zero-day exploits for Adobe Flash Player and Microsoft IE, these codes are just part of the hacking arsenal of the surveillance firm, which developed the popular Remote Control System (RCS) spyware, also known as Galileo. RCS has a modular structure that allows it to compromise several targets by loading the necessary zero-day exploits.

Hackig Team UEFI BIOS InstallAgent-1a

Last revelation made by the experts at Trend Micro in order of time, is the availability of a UEFI BIOS rootkit in the arsenal of the Hacking Team that allows the company to ensure the persistence for its malware even if the victims will format their hard disk to reinstall the Operating System.

“Hacking Team uses a UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. This means that even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.states Trend Micro.

The UEFI BIOS rootkit used by the Hacking Team was specifically designed to compromise UEFI BIOS systems developed by two of the most popular vendors, Insyde and AMI vendors.

The experts at the Hacking Team explained that attackers need physical access to the target machine to serve the UEFI BIOS rootkit by flashing the BIOS.

“A Hacking Team slideshow presentation claims that successful infection requires physical access to the target system; however, we can’t rule out the possibility of remote installation. An example attack scenario would be: The intruder gets access to the target computer, reboots into UEFI shell, dumps the BIOS, installs the BIOS rootkit, reflashes the BIOS, and then reboots the target system.” continues the post.

To prevent this kind of attack Trend Micro recommends:

  • Make sure UEFI SecureFlash is enabled
  • Update the BIOS whenever there is a security patch
  • Set up a BIOS or UEFI password

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – UEFI BIOS, rootkit)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment