Chinese Hackers Using UEFI Malware That Cannot Be Removed by OS Reinstalls

Kaspersky Lab first noticed the malware in a series of cyberattacks on diplomats, NGO staff from Africa, Asia and Europe.

Chinese hackers have already developed malware that can spy on targets and steal data without being detected. Now, they are armed with a UEFI-based malware that can linger on your computer even if you format the hard drive and reinstall the operating system.

According to Russian antivirus firm Kaspersky Lab, which first noticed the malware in the systems of its two customers, it can drop a spyware every time the system boots up and steal data. Named as MosaicRegressor, the malware resides in the UEFI firmware. According to the researchers, its code artifacts and C&C (command and control) infrastructure suggest that the malware was developed by Chinese hackers.

MosaicRegressor malware
Initial investigation suggests that MosaicRegressor malware is developed by Chinese hacker group Pixabay

OS Reinstalls Can't Remove It

To understand why it is impossible to remove, you need to understand what UEFI is. Unified Extensible Firmware Interface (UEFI) is a software that connects computer hardware firmware to the operating system. It's similar to the traditional Basic Input Output System or BIOS but with advanced capabilities such as mouse support, graphical interface. UEFI runs first when a system is booted up (turned on).

Formatting and reinstalling the OS impact only the hard drive. Since UEFI resides in the motherboard's Serial Peripheral Interface flash memory, formatting or even replacing a hard drive won't work. Thus, if a malicious program infects the UEFI, it can survive after flashing the operating system and can go undetected by an antivirus tool.

How Does It Do It?

Kaspersky Lab first noticed the malware in a series of cyberattacks on diplomats, NGO staff from Africa, Asia and Europe. All of them had worked issues related to North Korea. In a few instances, Kaspersky's Mark Lechtik and Igor Kuznetsov found that victims were also targeted with phishing emails with attached documents related to North Korea.

Once MosaicRegressor infects a system and hides in the UEFI, it then downloads additional downloader for different payload delivery. The payloads are mostly spyware that steals files from "Recent Documents" and uploads them to the C&C server. During the research, they found that the malware code had a C&C server address that was previously found in Winnti, a Chinese state-sponsored hacker group. Apart from that, some of the codes were in the Chinese language.

"Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publically known case where a threat actor used a custom made, malicious UEFI firmware in the wild," said Mark Lechtik, a senior security researcher at Kaspersky.

Based on Lojax Malware

In 2018, ESET, an antivirus and cybersecurity research firm, also detected a UEFI malware Lojax. They attributed the malware to the state-sponsored Russian hacker group Hacking Team, also known as Fancy Bear. Lojax's source code was leaked online in 2015 and Kaspersky researchers believe MosaicRegressor is based on the Vector-EDK bootkit.

Decoy Document
Hackers used phishing emails with decoy documents based on North Korea Kaspersky

"This attack demonstrates that, albeit rarely, in exceptional cases, actors are willing to go to great lengths in order to gain the highest level of persistence on a victim's machine. Threat actors continue to diversify their toolsets and become more and more creative with the ways they target victims," said Lechtik.

Lojax was delivered through bootable USB drives that were capable of targeting Asus and Dell laptops. However, it is not known which PC or laptop models are affected at this point by MosaicRegressor. Every MosaicRegressor malware must be designed specifically for particular models. Thus, it's difficult to know which models the Chinese group is targeting.

"Of course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don't have any evidence to support it," Lechtik said.

They also advised that updating the UEFI or BIOS to a legitimate version would be the best way to remove the malware. In addition, antivirus solutions that come with firmware scanner and anti-rootkit would be the best way to detect the malware.

Related topics : Cybersecurity