Security Market Segment LS
Tuesday, 06 October 2020 07:34

Kaspersky finds UEFI images that could be used for malware transport Featured

Kaspersky finds UEFI images that could be used for malware transport Image by nanoslavic from Pixabay

Russian security firm Kaspersky claims to have found a number of suspicious UEFI images, based on the leaked source code of the Italian firm Hacking Team, containing a malicious implant that could be used place a malicious update on a Windows system.

The images placed a file called IntelUpdate.exe in the victim’s Windows Startup folder.

Researchers Mark Lechtik, Igor Kuznetsov and Yury Parshin said in a detailed blog post that this was the second time that malicious UEFI firmware being used by a threat actor had been found in the wild.

Back in September 2018, researchers at the Slovakian security firm ESET discovered an UEFI rootkit in the wild.

Hacking Team, a company that used to sell surveillance and hacking software to governments worldwide, was broken into in July 2015.

A man who called himself Phineas Fisher claimed to be behind the act, saying he had done it to punish the company and its customers as they had been often caught using Hacking Team's wares to spy on dissidents and human rights activists.

Kaspersky said the malicious images had been found by using Firmware Scanner, which it has been using in its products since the beginning of 2019.

The UEFI or Unified Extensible Firmware Interface replaced the BIOS on PCs beginning in late 2012. It is a specification that makes up the structure and operation of low-level platform firmware.

It allows an operating system to interact with it during the boot phase and facilitates the loading of the operating system. It is, thus, an excellent location for malware, though infiltration can also take place when a system is up and running.

Microsoft used one feature in the UEFI to introduce what it called secure boot in Windows 8 in 2012, in a manner that effectively prevented easy booting of other operating systems on machines which had secure boot enabled.

Secure boot was designed so that an exchange of cryptographic keys took place at boot-time; a system could verify the operating system attempting to boot was a genuine one, and not malware. There were further key exchanges along the way.

But four years later, two researchers cracked the technology when they found a so-called golden key that was protecting the feature.

Lechtik, Kuznetsov and Parshin wrote: "A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded. Moreover, since it is typically shipped within SPI flash storage that is soldered to the computer’s motherboard, such implanted malware will be resistant to OS reinstallation or replacement of the hard drive."

The Kaspersky trio said they were unsure about the infection vector but speculated that one way was by having access to a physical machine. "...the leaks reveal that the UEFI infection capability (which is referred to by Hacking Team as ‘persistent installation’) was tested on ASUS X550C laptops," they said.

"These make use of UEFI firmware by AMI which is very similar to the one we inspected. For this reason we can assume that Hacking Team’s method of patching the firmware would work in our case as well."

The implant observed by Kaspersky deployed a piece of malware unknown to its researchers. But they looked for similar samples and concluded that the malware variant they had found was one component of a wider framework which they had named MosaicRegressor.

"The downloader components of MosaicRegressor are composed of common business logic, whereby the implants contact a C&C [command and control server], download further DLLs from it and then load and invoke specific export functions from them," Lechtik, Kuznetsov and Parshin wrote. "The execution of the downloaded modules usually results in output that can be in turn issued back to the C&C."

They said the downloaders they had found made use of the following means of communications to contact their C&Cs:

  • CURL library (HTTP/HTTPS);
  • BITS transfer interface;
  • WinHTTP API; and
  • POP3S/SMTPS/IMAPS, payloads transferred in email messages.

The mail boxes used by the last variant resided on the domain.

The Kaspersky trio said they had been able to obtain only one variant of the second stage in this process. "These components are also just intermediate loaders for the next stage DLLs. Ultimately, there is no concrete business logic in the persistent components, as it is provided by the C&C server in a form of DLL files, most of them temporary," they said.

As to the targets of this malware, Kaspersky said these were diplomatic entities and NGOs in Africa, Asia and Europe. The researchers speculated that, based on the affiliations of discovered victims, they could determine some connection to North Korea.

They claimed that artefacts found during their investigations pointed to a Chinese-speaking actor.

"It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so," Lechtik, Kuznetsov and Parshin wrote.

"...we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets."

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News