MosaicRegressor: ‘Chinese’ UEFI Bootkit Snoops on North Korean Foes

Malware that infects below the level of the OS is the holy grail of persistence. It’s fiendishly hard to spot and harder still to remove.

Researchers say they’ve found only the second-known example of UEFI malware. They’re calling it MosaicRegressor, thanks to the patchwork quilt–nature of its modular construction.

Nobody’s 100% sure, but it smells like another product of the Chinese state, on behalf of their friends in Pyongyang. In today’s SB Blogwatch, we power off, unplug and defenestrate.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: HELP!

China Fingered (Again)

What’s the craic? Let’s put Dan Goodin in first—“Custom-made UEFI bootkit found lurking in the wild”:

 For only the second time … cybersecurity researchers have found real-world malware lurking in … the low-level and highly opaque firmware required to boot up nearly every modern computer. … The UEFI—short for Unified Extensible Firmware Interface—is an operating system in its own right. It’s located in a … flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.

[It’s] the perfect place to stash malware, and that’s just what an unknown attack group has done, according to new research. … Three of the four added modules were lifted directly from the stolen source code [that] Hacking Team sold to governments—some from countries with poor human rights records such as Egypt, Saudi Arabia, and Russia.

Researchers … speculate that the attackers who installed the malicious firmware had physical access … it’s certainly plausible. … With the USB key and a few minutes alone with a targeted computer, an attacker could start it up, configure it to boot from the USB key, and allow it to work its magic.

Victims were all either diplomatic entities or members of a non-governmental organization. They were located in Africa, Asia, and Europe and all had ties in their activity to North Korea. … The evidence suggests the attacks were carried out by a Chinese-speaking actor … under the Chinese state intelligence apparatus.

O RLY? Sergiu Gatlan adds—“Second-ever UEFI rootkit”:

 Only one other instance of a UEFI bootkit being used in the wild is known. … LoJax was injected by the Russian-speaking APT28 hacker group within the legit LoJack anti-theft software in the form of patched UEFI modules.

The malicious UEFI firmware images were modified by the attackers by injecting multiple malicious modules that can be used to deploy malware. [It] features several downloaders and, at times, multiple intermediary loaders whose end goals are to download and execute malicious payloads on targets’ machines.

And Tara Seals the deal—“Rare Bootkit Malware Targets North Korea-Linked Diplomats”:

 UEFI is a specification that constitutes the structure and operation of low-level platform firmware, including the loading of the operating system itself. It can also be used when the OS is already up and running, for example in order to update the firmware.

The malicious firmware images contained four components: Two driver execution environment (DXE) drivers and two UEFI applications. Delving even deeper, they found that the components were all based on a customized version of the leaked source code of HackingTeam’s VectorEDK bootkit.

Who discovered it? Kaspersky’s Mark Lechtik, Igor Kuznetsov and Yury Parshin—“MosaicRegressor: Lurking in the Shadows of UEFI”:

 UEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. … Typically used to facilitate the machine’s boot sequence and load the operating system … it has become the target of threat actors to carry out exceptionally persistent attacks.

One such attack has become the subject of our research. [It’s] part of a wider malicious framework that we dubbed MosaicRegressor. … Unfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware [so] we can only speculate how the infection could have happened.

UEFI continues to be a point of interest to APT actors. … We noticed several interesting artefacts that provided us with clues on the identity of the actor behind the framework.

We spotted many string … that contain the character sequence ‘0xA3, 0xBA’. … The best match is the “FULL-WIDTH COLON” [in] either the Chinese or Korean code pages (i.e. CP936 and CP949). … Another artefact that we found was a file resource found in CurlReg samples that contained a language identifier set to 2052 (“zh-CN”). … We detected an OLE2 object taken out of a document armed with the CVE-2018-0802 vulnerability, which … is commonly used by Chinese-speaking threat actors.

UEFI? I wish it were easier to pronounce. So does Alekhine:

 I miss calling it BIOS. It was easier to say, was an acronym that made sense, and lined up with the Greek word bios, which means life. Very fitting.

Too bad we couldn’t just call it BIOS v2 or something.

BIOS, SCHMIOS. How did it get in there? eldakka counts the ways:

 Injecting this hacked firmware can be done [using] a bootable USB thumbdrive with the firmware, minimal O/S and the flashing software. Or even with something like ASUS’s ‘flashback’ functionality that can flash from a powered off … PC with just the firmware on the USB stick.

So it could have been done in the factory, in transit, someone with a couple minutes physical access … after delivery, or even remotely. … These days firmware can be updated from a live, running computers multi-user O/S such as windows or Linux etc.

How would you disinfect something that’s compromised at such a low level? malor suggestifies thuswise:

 Since the bogus firmware won’t allow itself to be removed, the device can’t be fixed from software. The only options are replacing the physical ROM or junking it.

Some of the more expensive ASUS boards have a BIOS recovery process. You plug in a USB device with a known-good ROM image into one specific USB port on the back, hold down a specific button that’s also on the back, and power-on the board. [It] is then reflashed by a separate chip that never runs the corrupted BIOS, so it might be able to recover a board that you’d otherwise have to junk.

That kind of out-of-band update is definitely going to be on my list of features for my next board. Even better would be a hardware defeat switch to prevent BIOS changes.

But doesn’t UEFI Secure Boot protect against this? u/meltbox thinks not:

 Secure Boot is for the OS and not the UEFI. The UEFI should be signed however it appears either those keys are known or it’s just a hash of some sort that needs to be recomputed when it’s modified which would not prevent alteration.

Meanwhile, NeoMorpheus is showing their age:

 I miss the old, simple days of using TRS-80’s, C-64’s and BBS’s. This new world is simply scary and off putting.

And Finally:

For the benefit of Mr. Kite

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Klaus “chuttersnap” Tan (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 579 posts and counting.See all posts by richi