Serviceteam IT Security News

An advanced persistent threat (APT) espionage campaign that uses a rare form of malware has been observed attacking diplomats and members of NGOs. 

The campaign, which relies on a firmware bootkit, was identified by researchers at Kaspersky who were operating UEFI/BIOS scanning technology. The previously unknown malware was identified in the Unified Extensible Firmware Interface (UEFI).

UEFI firmware is used in all modern computer devices and starts running before the operating system and all the programs installed in it. This, together with the fact that the firmware resides on a flash chip separate from a device’s hard drive, makes the detection of any malware in UEFI firmware very difficult. 

“If UEFI firmware is somehow modified to contain malicious code, that code will be launched before the operating system, making its activity potentially invisible to security solutions,” said a Kaspersky spokesperson.

“The infection of the firmware essentially means that, regardless of how many times the operating system has been reinstalled, the malware planted by the bootkit will stay on the device.”

Researchers said the UEFI bootkit used with the malware is a customized version of Hacking Team’s Vector-EDK bootkit, the source code for which was leaked in 2015. It is the first in-the-wild attack leveraging a custom-made UEFI bootkit. 

“Once software—be it a bootkit, malware or something else—is leaked, threat actors gain a significant advantage,” said Igor Kuznetsov, principal security researcher at Kaspersky’s GReAT. 

“Freely available tools provide them with an opportunity to advance and customize their toolsets with less effort and lower chances of being detected.”

A sample of the bootkit malware was used in a campaign that deployed variants of a complex, multi-stage modular framework dubbed MosaicRegressor that was used for espionage and data gathering.

Based on the affiliation of the victims, researchers determined that MosaicRegressor was used in a series of targeted attacks aimed at diplomats and members of NGOs from Africa, Asia, and Europe.

Though unsure of exactly how the infections occurred, researchers found that they may have been possible through physical access to the victim’s machine, specifically with a bootable USB key, which would contain a special update utility. 

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!