… but it still feels like war. Mark Lechtik has a report on a cyber attack via UEFI (the boot module, the replacement for the old BIOS module for us old-timers) on SecureList, and I found his overview of probable adversaries to be fascinating:
Throughout this blog we will elaborate on the following key findings:
- We discovered rogue UEFI firmware images that were modified from their benign counterpart to incorporate several malicious modules;
- The modules were used to drop malware on the victim machines. This malware was part of a wider malicious framework that we dubbed MosaicRegressor;
- Components from that framework were discovered in a series of targeted attacks pointed towards diplomats and members of an NGO from Africa, Asia and Europe, all showing ties in their activity to North Korea;
- Code artefacts in some of the framework’s components and overlaps in C&C infrastructure used during the campaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to groups using the Winnti backdoor;
Certainly, China and North Korea are sometimes uneasy allies, so this is certainly plausible. Their finding?
The goal of these added modules [to hacking kit VectorEDK] is to invoke a chain of events that would result in writing a malicious executable named ‘IntelUpdate.exe’ to the victim’s Startup folder. Thus, when Windows is started the written malware would be invoked as well. Apart from that, the modules would ensure that if the malware file is removed from the disk, it will be rewritten. Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware.
Linux continues to look more secure than Windows, doesn’t it? I look forward to future reports.
