Malware delivery through UEFI bootkit with MosaicRegressor

Recently, our researchers uncovered a sophisticated targeted attack aimed at diplomatic institutions and NGOs in Asia, Europe, and Africa. As far as we can determine, all of the victims were connected to North Korea in one way or another, whether through nonprofit activity or diplomatic ties.

The attackers used a sophisticated modular cyberspy framework that our researchers call MosaicRegressor. Our investigation revealed that in some cases the malware entered victims’ computers through modified UEFIs, an extremely rare occurrence in the wild. However, in most cases, the attackers used spear-phishing, a more traditional method.

What is UEFI, and why is the bootkit dangerous?

UEFI, like BIOS (which it replaces), is software that runs right when the computer starts, even before the operating system launches. Moreover, it is stored not on the hard drive, but on a chip on the motherboard. If cybercriminals modify the UEFI code, they can potentially use it to deliver malware to a victim’s system.

That is precisely what we found in the campaign described above. What’s more, in creating their modified UEFI firmware, the attackers used the source code of VectorEDK, a Hacking Team bootkit that was leaked online. Although the source code became publicly available way back in 2015, this is the first evidence we’ve seen of its use by cybercriminals.

When the system starts, the bootkit places the malicious file IntelUpdate.exe in the system startup folder. The executable downloads and installs another MosaicRegressor components on the computer. Given the relative insularity of UEFI, even if this malicious file is detected, it is almost impossible to remove. Neither deleting it nor reinstalling the operating system helps. The only way to fix the problem is by reflashing the motherboard.

How is MosaicRegressor dangerous?

MosaicRegressor components that made it onto victims’ computers (through either a compromised UEFI or targeted phishing) connected to their C&C servers, downloaded additional modules, and ran them. Next, these modules were used to steal information. For example, one of them sent recently opened documents to the cybercriminals.

Various mechanisms were used to communicate with the C&C servers: the cURL library (for HTTP/HTTPS), the Background Intelligent Transfer Service (BITS) interface, the WinHTTP programming interface, and public mail services that use the POP3S, SMTPS, or IMAPS protocol.

This Securelist post provides a more detailed technical analysis of the malicious MosaicRegressor framework, together with indicators of compromise.

How to protect from MosaicRegressor

To protect from MosaicRegressor, the first threat to neutralize is spear-phishing, which is how most sophisticated attacks begin. For maximum employee computer protection, we recommend using a combination of security products with advanced antiphishing technologies and education to raise employee awareness about attacks of this type.

Our security solutions detect malicious modules tasked with data theft.

As for the compromised firmware, unfortunately we don’t know exactly how the bootkit got onto victims’ computers. Based on data from the HackingTeam leak, the attackers presumably needed physical access and used a USB drive to infect the machines. However, other methods of UEFI compromise cannot be ruled out.

To protect against the MosaicRegressor UEFI bootkit:

  • Check your computer or motherboard manufacturer’s website to find out if your hardware supports Intel Boot Guard, which prevents the unauthorized modification of UEFI firmware.
  • Use full-disk encryption to prevent a bootkit from installing its payload.
  • Use reliable security solutions that can scan and identify threats of this nature. Since 2019, our products have been able to search for threats hiding in the ROM BIOS and UEFI firmware. In fact, our dedicated Firmware Scanner technology initially detected this attack.