Conti ransomware targeted Intel firmware for stealthy attacks

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks.

According to messages exchanged between members of the cybercrime syndicate, Conti developers had created proof-of-concept (PoC) code that leveraged Intel’s Management Engine (ME) to overwrite flash and gain SMM (System Management Mode) execution.

The ME is an embedded microcontroller within Intel chipsets running a micro-OS to provide out-of-band services. Conti was fuzzing that component to find undocumented functions and commands they could leverage.

From there, Conti could access the flash memory that hosted UEFI/BIOS firmware, bypass write protections, and perform arbitrary code execution on the compromised system.
The final goal would be to drop an SMM implant that would run with the highest possible system privileges (ring-0) while practically undetectable from OS-level security tools.
 
F

ForgottenSeer 69673

If I remember right, there is a program that compares the old BIOS code to the new code to see if you are infected. I just can't remember the name of the project. If I can find info on it. I will EDIT this post.

OK found them: Find changes between two UEFI firmware versions?

best to just keep a copy and use it now and then to reflash?
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top