- Aug 17, 2014
- 11,114
Read more: Chinese hacker group spotted using a UEFI bootkit in the wild | ZDNet
Full report by researchers from Kaspersky: MosaicRegressor: Lurking in the Shadows of UEFI
Chinese hacker group spotted using a UEFI bootkit in the wild
- Thread starter silversurfer
- Start date
Full report by researchers from Kaspersky: MosaicRegressor: Lurking in the Shadows of UEFI
- Oct 2, 2020
- 451
It looks like rootkit scanning in Kaspersky products was used to find it. So rootkit scanning probably should not be disabled as sometimes advised.
Related wiki article: https://www.kaspersky.com/enterpris...ducts/anti-rootkit-and-remediation-technology
Related wiki article: https://www.kaspersky.com/enterpris...ducts/anti-rootkit-and-remediation-technology
Last edited:
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
- May 4, 2019
- 825
A China-Linked Group Repurposed Hacking Team’s Stealthy Spyware
The tool attacks a device’s UEFI firmware—which makes it especially hard to detect and destroy.
- Dec 23, 2014
- 8,513
This malware requires physical access to the device. It is one of a few examples of UEFI malware used in the wild (another UEFI malware was used by the Fancy Bear Russian hacker group). Such malware is extremely rare in the wild. I think that similar malwares are is in the arsenal of many agencies (CIA for sure).
Edit.
Te UEFI malware can be implanted also by exploiting the UEFI update mechanism and other UEFI exploits.
Black Hat 2018: Update Mechanisms Allow Remote Attacks on UEFI Firmware
The glitch stems from a functionality intended to allow updates to the UEFI firmware.
threatpost.com
Last edited:
- Aug 17, 2014
- 11,114
How do you know this malware is just "extremely rare in the wild" as experts said this UEFI bootkit is using in the wild, so nobody here knows all facts...
- Dec 23, 2014
- 8,513
The known examples are enumerated in the article.
A China-Linked Group Repurposed Hacking Team’s Stealthy Spyware
The tool attacks a device’s UEFI firmware—which makes it especially hard to detect and destroy.
" But Kaspersky's new UEFI malware discovery is only the second ever obtained from a victim's machine, and in some sense it is the first purpose-built UEFI malware to be seen in use. "It's the first known proprietary custom UEFI backdoor that is not based on some well-known white-hat software, but was intended from the beginning to be a malicious one," says Kuznetsov. "
More info can be found in the Kaspersky article:
MosaicRegressor: Lurking in the Shadows of UEFI
We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.
securelist.com
Last edited:
- Aug 17, 2014
- 11,114
Well, there I couldn't find this info as that isn't the same link from the report by zdnet, probably the full report by Kaspersky has all info but that is much content to read... Thanks for point out this info!The known examples are enumerated in the article.
Furthermore (from the above article):A China-Linked Group Repurposed Hacking Team’s Stealthy Spyware
The tool attacks a device’s UEFI firmware—which makes it especially hard to detect and destroy.www.wired.com
" But Kaspersky's new UEFI malware discovery is only the second ever obtained from a victim's machine, and in some sense it is the first purpose-built UEFI malware to be seen in use. "It's the first known proprietary custom UEFI backdoor that is not based on some well-known white-hat software, but was intended from the beginning to be a malicious one," says Kuznetsov. "
- Jul 27, 2015
- 5,458
MosaicRegressor: Lurking in the Shadows of UEFI
We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.
securelist.com
- Dec 23, 2014
- 8,513
There are several types of malware that can bypass UEFI secure boot. Most of them can use the exploit to run the payload, but do not change the UEFI firmware. The recent example can be "Boothole" grub2 UEFI secure boot lockdown bypass.Personal I'm not so sure how actual " rare in the wild " this is today, because several of the payload IOCs is super easy to find on sources like VT, Anyrun, Hybrid etc as they are also pretty old by now. 2017, 2018 etc. The only thing I couldn't find a test result for, is those 4 UEFI modules. Other then the report from Kaspersky themselves.MosaicRegressor: Lurking in the Shadows of UEFI
We found a compromised UEFI firmware image that contained a malicious implant. To the best of our knowledge, this is the second known public case where malicious UEFI firmware in use by a threat actor was found in the wild.
The extremely rare cases are related to the stealthy malware hid in the UEFI firmware.
Are you sure that the payloads that you found could change the UEFI firmware? If you want I can examine the IOCs.
Edit.
There are some reasons to believe the expert from Kaspersky:
- It is hard to implement such malware on large scale attacks, because there are many different UEFI firmware.
- Such malware is very useful for spying, so it would not be logical to waste it in other attacks. There are many less stealthy, easier, and cheaper methods to infect computers for profit.
Last edited:
- Jul 27, 2015
- 5,458
No, I'm not 100% sure. Please do, because it would be very interesting.
- Dec 23, 2014
- 8,513
Could you PM some links if you will encounter this kind of malware? I did not see such malware for a long time (but I did not seek).No, I'm not 100% sure. Please do, because it would be very interesting.
Similar threads
-
- Locked
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}