Chinese hacker group spotted using a UEFI bootkit in the wild

Targets included diplomatic entities and NGOs in Africa, Asia, and Europe.
Written by Catalin Cimpanu, Contributor
Image: Soviet Artefacts, ZDNet

A Chinese-speaking hacking group has been observed using a UEFI bootkit to download and install additional malware on targeted computers.

UEFI firmware is a crucial component for every computer. This crucial firmware inside a flash memory bolted to the motherboard and controls all the computer's hardware components and helps boot the actual user-facing OS (such as Windows, Linux, macOS, etc.).

Attacks on UEFI firmware are the Holy Grail of every hacker group, as planting malicious code here allows it to survive OS reinstalls.

Nonetheless, despite these benefits, UEFI firmware attacks are rare because tampering with this component is particularly hard as attackers either need physical access to the device or they need to compromise targets via complex supply chain attacks where the UEFI firmware or tools that work with UEFI firmware are modified to insert malicious code.

In a talk at the SAS virtual security conference today, security researchers from Kaspersky said they detected the second known instance of a widespread attack leveraging malicious code implanted in the UEFI.

The first, disclosed by ESET in 2018, was supposedly carried out by Fancy Bear, one of Russia's state-sponsored hacker groups. This second one is the work of Chinese-speaking hackers, according to Kaspersky.

UEFI bootkit used to deploy new MosaicRegressor malware

The company said it discovered these attacks after two computers were flagged by the company's Firmware Scanner module as suspicious.

In their talk today, Kaspersky malware researchers Mark Lechtik and Igor Kuznetsov said they investigated the flagged systems and found malicious code inside the flagged UEFI firmware. This code, they said, was designed to install a malicious app (as an autorun program) after every computer start.

This initial autorun program acted as a downloader for other malware components, which Kaspersky named the MosaicRegressor malware framework.

Kaspersky said it has yet to obtain and analyze all of MosaicRegressor's components, but the one that they did look at contained functionality to gather all the documents from the "Recent Documents" folder and putting them in a password-protected archive — most likely preparing the files for exfiltration via another component.

The researchers said they found the UEFI bootkit on only two systems, but they found MosaicRegressor components on a multitude of other computers.

However, the targets of these attacks were all carefully selected. All were diplomatic entities and NGOs in Africa, Asia, and Europe.

"Based on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK [North Korea], be it non-profit activity related to the country or actual presence within it," Kaspersky said.

Based on leaked HackingTeam malware

But Kasperksy also made another major discovery while analyzing these attacks. The UEFI malicious code wasn't exactly new. According to their analysis, the code was based on VectorEDK, which is a hacking utility to attack UEFI firmware, created by HackingTeam, a now-defunct Italian vendor of hacking tools, exploits, and surveillance software.

The company was hacked in 2015, and its tools were dumped online, including the VectorEDK toolkit. According to its manual, the tool was designed to be used with physical access to a victim's computer.

Kaspersky says that based on the similarities between VectorEDK and the modified version used by the Chinese group, the Chinese group most likely deployed their tool using physical access to their targets' computers as well.

The company's full report on these attacks is available as a 30-page PDF report here.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards