Chinese hacker group spotted using a UEFI bootkit in the wild

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
A Chinese-speaking hacking group has been observed using a UEFI bootkit to download and install additional malware on targeted computers.

UEFI firmware it is a crucial component for every computer. This crucial firmware inside a flash memory bolted to the motherboard and controls all the computer's hardware components and helps boot the actual user-facing OS (such as Windows, Linux, macOS, etc.).

Attacks on UEFI firmware are the Holy Grail of every hacker group, as planting malicious code here allows it to survive OS reinstalls.

Nonetheless, despite these benefits, UEFI firmware attacks are rare because tampering with this component is particularly hard as attackers either need physical access to the device or they need to compromise targets via complex supply chain attacks where the UEFI firmware or tools that work with UEFI firmware are modified to insert malicious code.

In a talk at the SAS virtual security conference today, security researchers from Kaspersky said they detected the second known instance of a widespread attack leveraging malicious code implanted in the UEFI.
Read more: Chinese hacker group spotted using a UEFI bootkit in the wild | ZDNet

Full report by researchers from Kaspersky: MosaicRegressor: Lurking in the Shadows of UEFI
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
WHEN A HACKING organization’s secret tools are stolen and dumped online for anyone to pick up and repurpose, the consequences can roil the globe. Now one new discovery shows how long those effects can persist. Five years after the notorious spy contractor Hacking Team had its code leaked online, a customized version of one of its stealthiest spyware samples has shown up in the hands of possibly Chinese-speaking hackers.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
This malware requires physical access to the device. It is one of a few examples of UEFI malware used in the wild (another UEFI malware was used by the Fancy Bear Russian hacker group). Such malware is extremely rare in the wild. I think that similar malwares are is in the arsenal of many agencies (CIA for sure).

Edit.
Te UEFI malware can be implanted also by exploiting the UEFI update mechanism and other UEFI exploits.
 
Last edited:

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
This malware requires physical access to the device. It is one of a few examples of UEFI malware used in the wild (another UEFI malware was used by the Fancy Bear Russian hacker group). Such malware is extremely rare in the wild. I think that similar malwares are is in the arsenal of many agencies (CIA for sure).
How do you know this malware is just "extremely rare in the wild" as experts said this UEFI bootkit is using in the wild, so nobody here knows all facts...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
How do you know this malware is just "extremely rare in the wild" as experts said this UEFI bootkit is using in the wild, so nobody here knows all facts...
The known examples are enumerated in the article.
Furthermore (from the above article):
" But Kaspersky's new UEFI malware discovery is only the second ever obtained from a victim's machine, and in some sense it is the first purpose-built UEFI malware to be seen in use. "It's the first known proprietary custom UEFI backdoor that is not based on some well-known white-hat software, but was intended from the beginning to be a malicious one," says Kuznetsov. "

More info can be found in the Kaspersky article:
 
Last edited:

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
The known examples are enumerated in the article.
Furthermore (from the above article):
" But Kaspersky's new UEFI malware discovery is only the second ever obtained from a victim's machine, and in some sense it is the first purpose-built UEFI malware to be seen in use. "It's the first known proprietary custom UEFI backdoor that is not based on some well-known white-hat software, but was intended from the beginning to be a malicious one," says Kuznetsov. "
Well, there I couldn't find this info as that isn't the same link from the report by zdnet, probably the full report by Kaspersky has all info but that is much content to read... Thanks for point out this info! (y)
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
This malware requires physical access to the device. It is one of a few examples of UEFI malware used in the wild (another UEFI malware was used by the Fancy Bear Russian hacker group). Such malware is extremely rare in the wild. I think that similar malwares are is in the arsenal of many agencies (CIA for sure).
we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware. Our detection logs show that the firmware itself was found to be malicious, but no suspicious events preceded it. Due to this, we can only speculate how the infection could have happened.
Personal I'm not so sure how actual " rare in the wild " this is today, because several of the payload IOCs is super easy to find on sources like VT, Anyrun, Hybrid etc as they are also pretty old by now. 2017, 2018 etc. The only thing I couldn't find a test result for, is those 4 UEFI modules. Other then the report from Kaspersky themselves.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Personal I'm not so sure how actual " rare in the wild " this is today, because several of the payload IOCs is super easy to find on sources like VT, Anyrun, Hybrid etc as they are also pretty old by now. 2017, 2018 etc. The only thing I couldn't find a test result for, is those 4 UEFI modules. Other then the report from Kaspersky themselves.
There are several types of malware that can bypass UEFI secure boot. Most of them can use the exploit to run the payload, but do not change the UEFI firmware. The recent example can be "Boothole" grub2 UEFI secure boot lockdown bypass.
The extremely rare cases are related to the stealthy malware hid in the UEFI firmware.
Are you sure that the payloads that you found could change the UEFI firmware? If you want I can examine the IOCs.

Edit.
There are some reasons to believe the expert from Kaspersky:
  1. It is hard to implement such malware on large scale attacks, because there are many different UEFI firmware.
  2. Such malware is very useful for spying, so it would not be logical to waste it in other attacks. There are many less stealthy, easier, and cheaper methods to infect computers for profit.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
There are several types of malware that can bypass UEFI secure boot. Most of them can use the exploit to run the payload, but do not change the UEFI firmware. The recent example can be "Boothole" grub2 UEFI secure boot lockdown bypass.
The extremely rare cases are related to the stealthy malware hid in the UEFI firmware.
Are you sure that the payloads that you found could change the UEFI firmware? If you want I can examine the IOCs.
No, I'm not 100% sure. Please do, because it would be very interesting. (y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top