Security Market Segment LS
Tuesday, 06 October 2020 07:34

Kaspersky finds UEFI images that could be used for malware transport Featured

Kaspersky finds UEFI images that could be used for malware transport Image by nanoslavic from Pixabay

Russian security firm Kaspersky claims to have found a number of suspicious UEFI images, based on the leaked source code of the Italian firm Hacking Team, containing a malicious implant that could be used place a malicious update on a Windows system.

The images placed a file called IntelUpdate.exe in the victim’s Windows Startup folder.

Researchers Mark Lechtik, Igor Kuznetsov and Yury Parshin said in a detailed blog post that this was the second time that malicious UEFI firmware being used by a threat actor had been found in the wild.

Back in September 2018, researchers at the Slovakian security firm ESET discovered an UEFI rootkit in the wild.

Hacking Team, a company that used to sell surveillance and hacking software to governments worldwide, was broken into in July 2015.

A man who called himself Phineas Fisher claimed to be behind the act, saying he had done it to punish the company and its customers as they had been often caught using Hacking Team's wares to spy on dissidents and human rights activists.

Kaspersky said the malicious images had been found by using Firmware Scanner, which it has been using in its products since the beginning of 2019.

The UEFI or Unified Extensible Firmware Interface replaced the BIOS on PCs beginning in late 2012. It is a specification that makes up the structure and operation of low-level platform firmware.

It allows an operating system to interact with it during the boot phase and facilitates the loading of the operating system. It is, thus, an excellent location for malware, though infiltration can also take place when a system is up and running.

Microsoft used one feature in the UEFI to introduce what it called secure boot in Windows 8 in 2012, in a manner that effectively prevented easy booting of other operating systems on machines which had secure boot enabled.

Secure boot was designed so that an exchange of cryptographic keys took place at boot-time; a system could verify the operating system attempting to boot was a genuine one, and not malware. There were further key exchanges along the way.

But four years later, two researchers cracked the technology when they found a so-called golden key that was protecting the feature.

Lechtik, Kuznetsov and Parshin wrote: "A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded. Moreover, since it is typically shipped within SPI flash storage that is soldered to the computer’s motherboard, such implanted malware will be resistant to OS reinstallation or replacement of the hard drive."

The Kaspersky trio said they were unsure about the infection vector but speculated that one way was by having access to a physical machine. "...the leaks reveal that the UEFI infection capability (which is referred to by Hacking Team as ‘persistent installation’) was tested on ASUS X550C laptops," they said.

"These make use of UEFI firmware by AMI which is very similar to the one we inspected. For this reason we can assume that Hacking Team’s method of patching the firmware would work in our case as well."

The implant observed by Kaspersky deployed a piece of malware unknown to its researchers. But they looked for similar samples and concluded that the malware variant they had found was one component of a wider framework which they had named MosaicRegressor.

"The downloader components of MosaicRegressor are composed of common business logic, whereby the implants contact a C&C [command and control server], download further DLLs from it and then load and invoke specific export functions from them," Lechtik, Kuznetsov and Parshin wrote. "The execution of the downloaded modules usually results in output that can be in turn issued back to the C&C."

They said the downloaders they had found made use of the following means of communications to contact their C&Cs:

  • CURL library (HTTP/HTTPS);
  • BITS transfer interface;
  • WinHTTP API; and
  • POP3S/SMTPS/IMAPS, payloads transferred in email messages.

The mail boxes used by the last variant resided on the domain.

The Kaspersky trio said they had been able to obtain only one variant of the second stage in this process. "These components are also just intermediate loaders for the next stage DLLs. Ultimately, there is no concrete business logic in the persistent components, as it is provided by the C&C server in a form of DLL files, most of them temporary," they said.

As to the targets of this malware, Kaspersky said these were diplomatic entities and NGOs in Africa, Asia and Europe. The researchers speculated that, based on the affiliations of discovered victims, they could determine some connection to North Korea.

They claimed that artefacts found during their investigations pointed to a Chinese-speaking actor.

"It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so," Lechtik, Kuznetsov and Parshin wrote.

"...we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets."

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News