Custom-made UEFI bootkit found lurking in the wild

sasha85ru | Getty Imates

For less than the second time within the annals of cybersecurity, researchers have discovered real-world malware lurking within the UEFI, the low-level and extremely opaque firmware required besides up almost each fashionable pc.

As software program that bridges a PC’s system firmware with its working system, the UEFI—quick for Unified Extensible Firmware Interface—is an working system in its personal proper. It’s positioned in a SPI-connected flash storage chip soldered onto the pc motherboard, making it troublesome to examine or patch the code. And it’s the very first thing to be run when a pc is turned on, permitting it affect and even management the OS, safety apps, and all different software program that follows.

These traits make the UEFI the right place to stash malware, and that’s simply what an unknown assault group has completed, based on new analysis introduced on Monday by safety agency Kaspersky Lab.

Final yr, after the Moscow-based firm built-in a brand new firmware scanner in its antivirus merchandise, researchers recovered a suspicious UEFI picture from one in all its customers. After additional analysis, Kaspersky Lab found {that a} separate person had been contaminated by the identical UEFI picture in 2018. Each contaminated customers have been diplomatic figures positioned in Asia.

The best stage of persistence

Evaluation ultimately confirmed that every time the firmware ran, it checked to see if a file titled IntelUpdate.exe was contained in the Home windows startup folder. If it wasn’t, the UEFI picture would put it there. IntelUpdate.exe, it turned out, was a small however necessary cog in a big and modular framework constructed for espionage and information gathering. IntelUpdate.exe acted as the primary hyperlink in an extended chain. It reported to an attacker-controlled server to obtain one other hyperlink, which in flip, would obtain different hyperlinks, all of which have been personalized to the profile of the individual being contaminated.

The safety firm is presenting the findings at its Safety Analyst Summit @Dwelling convention. In a weblog put up accompanying the panel, authors Mark Lechtik and Igor Kuznetsov wrote:

The assaults described on this weblog put up display the size an actor can go with the intention to acquire the very best stage of persistence on a sufferer machine. It’s extremely unusual to see compromised UEFI firmware within the wild, normally because of the low visibility into assaults on firmware, the superior measures required to deploy it on a goal’s SPI flash chip, and the excessive stakes of burning delicate toolset or property when doing so.

With this in thoughts, we see that UEFI continues to be a focal point to APT actors, whereas at giant being missed by safety distributors. The mixture of our know-how and understanding of the present and previous campaigns leveraging contaminated firmware, helps us monitor and report on future assaults in opposition to such targets.


Please enter your comment!
Please enter your name here