The images placed a file called IntelUpdate.exe in the victim’s Windows Startup folder.
Researchers Mark Lechtik, Igor Kuznetsov and Yury Parshin said in a detailed blog post that this was the second time that malicious UEFI firmware being used by a threat actor had been found in the wild.
Back in September 2018, researchers at the Slovakian security firm ESET discovered an UEFI rootkit in the wild.
A man who called himself Phineas Fisher claimed to be behind the act, saying he had done it to punish the company and its customers as they had been often caught using Hacking Team's wares to spy on dissidents and human rights activists.
Kaspersky said the malicious images had been found by using Firmware Scanner, which it has been using in its products since the beginning of 2019.
The UEFI or Unified Extensible Firmware Interface replaced the BIOS on PCs beginning in late 2012. It is a specification that makes up the structure and operation of low-level platform firmware.
It allows an operating system to interact with it during the boot phase and facilitates the loading of the operating system. It is, thus, an excellent location for malware, though infiltration can also take place when a system is up and running.
Microsoft used one feature in the UEFI to introduce what it called secure boot in Windows 8 in 2012, in a manner that effectively prevented easy booting of other operating systems on machines which had secure boot enabled.
Secure boot was designed so that an exchange of cryptographic keys took place at boot-time; a system could verify the operating system attempting to boot was a genuine one, and not malware. There were further key exchanges along the way.
But four years later, two researchers cracked the technology when they found a so-called golden key that was protecting the feature.
Lechtik, Kuznetsov and Parshin wrote: "A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded. Moreover, since it is typically shipped within SPI flash storage that is soldered to the computer’s motherboard, such implanted malware will be resistant to OS reinstallation or replacement of the hard drive."
The Kaspersky trio said they were unsure about the infection vector but speculated that one way was by having access to a physical machine. "...the leaks reveal that the UEFI infection capability (which is referred to by Hacking Team as ‘persistent installation’) was tested on ASUS X550C laptops," they said.
"These make use of UEFI firmware by AMI which is very similar to the one we inspected. For this reason we can assume that Hacking Team’s method of patching the firmware would work in our case as well."
The implant observed by Kaspersky deployed a piece of malware unknown to its researchers. But they looked for similar samples and concluded that the malware variant they had found was one component of a wider framework which they had named MosaicRegressor.
"The downloader components of MosaicRegressor are composed of common business logic, whereby the implants contact a C&C [command and control server], download further DLLs from it and then load and invoke specific export functions from them," Lechtik, Kuznetsov and Parshin wrote. "The execution of the downloaded modules usually results in output that can be in turn issued back to the C&C."
They said the downloaders they had found made use of the following means of communications to contact their C&Cs:
- CURL library (HTTP/HTTPS);
- BITS transfer interface;
- WinHTTP API; and
- POP3S/SMTPS/IMAPS, payloads transferred in email messages.
The mail boxes used by the last variant resided on the mail.ru domain.
The Kaspersky trio said they had been able to obtain only one variant of the second stage in this process. "These components are also just intermediate loaders for the next stage DLLs. Ultimately, there is no concrete business logic in the persistent components, as it is provided by the C&C server in a form of DLL files, most of them temporary," they said.
As to the targets of this malware, Kaspersky said these were diplomatic entities and NGOs in Africa, Asia and Europe. The researchers speculated that, based on the affiliations of discovered victims, they could determine some connection to North Korea.
They claimed that artefacts found during their investigations pointed to a Chinese-speaking actor.
"It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so," Lechtik, Kuznetsov and Parshin wrote.
"...we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets."