The second-ever UEFI rootkit has been detected in a cyber-espionage campaign aimed at diplomats and members of non-governmental organizations (NGOs) from Africa, Asia and Europe. It appears that the malware is part of a newly uncovered framework dubbed MosaicRegressor, according to a latest report from Kaspersky.
The researchers say that code artifacts in some of the framework’s components and overlaps in C&C infrastructure used in the campaign suggest the involvement of a Chinese-speaking threat actor with connections to hacker groups using the Winnty backdoor.
The analysis revealed the malicious firmware contained four components - two DXE drivers and two UEFI applications. According to the researchers, the malicious UEFI firmware is based on the leaked source code of the VectorEDK bootkit developed by HackingTeam, a now-defunct Italian manufacturer of hacking tools, exploits, and surveillance software. The company’s tools (including the VectorEDK toolkit) were leaked online after a major hack in 2015. According to its manual, VectorEDK provides physical access to a victim's computer.
“While Hacking Team’s original bootkit was used to write one of the company’s backdoors to disk, known as ‘Soldier’, ‘Scout’ or ‘Elite’, the UEFI implant we investigated deployed a new piece of malware that we haven’t seen thus far. We decided to look for similar samples that share strings and implementation traits with the dropped binary. Consequently, the samples that we found suggested that the dropped malware was only one variant derived from a wider framework that we named MosaicRegressor,” Kaspersky explained.
The MosaicRegressor framework is a multi-stage and modular framework designed for espionage and data gathering. It contains downloaders that fetch and execute payload on victim machines. Its modular structure allows the attackers to hide the wider framework from analysis, and deploy components to target machines only on demand.
“The downloader components of MosaicRegressor are composed of common business logic, whereby the implants contact a C&C, download further DLLs from it and then load and invoke specific export functions from them. The execution of the downloaded modules usually results in output that can be in turn issued back to the C&C,” the researchers said.
When contacting their command and control servers the downloaders use various communication mechanisms, including CURL library (HTTP/HTTPS), BITS transfer interface, POP3S/SMTPS/IMAPS, and WinHTTP API.
“It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so. We see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets,” the report concludes.