Security Week 41: Malicious Code in UEFI

Kaspersky Lab experts have published an interesting studydedicated to the malicious code MosaicRegressor. The code is used by a supposedly cybercriminal group with Chinese roots, it is interesting in that it contains modules for infecting a computer via UEFI. Bootkits like these are still considered one of the most sophisticated types of malware. If infected successfully, they allow you to re-infect the operating system even after reinstallation.

In this case, several UEFI images were detected with malicious code already embedded. This code has only one function – it adds the file contained inside to the Windows startup folder. The further attack develops according to a typical cyber espionage scenario, with theft of documents and sending other data to C&C servers. Another unexpected nuance of this study: the malicious code in UEFI uses sources that were previously made public as a result of hacking into the infrastructure of the Hacking Team.

[1/n] I’m happy to share a significant research done by @ 2igosha and myself. What we found was a UEFI rootkit in the wild, customized from Hacking Team’s leaked Vector-EDK code. That would be the second time we see something like this publiclyhttps://t.co/d4Sj29q3Yp
– Mark Lechtik (@_marklech_) October 5, 2020

Four modules were found in infected UEFI images as shown in the screenshot above. Two perform service functions, including those responsible for launching malicious code at the right time (right before the operating system boots). Another is the driver for the NTFS file system. The main malicious module contains the IntelUpdate.exe file, which is written to the SSD or hard drive in the Windows autorun directory.

Two service modules and a driver seem to be borrowed from the Vector-EDK code. This is a bootkit, the source code of which was made public after a massive data leak from the Hacking Team company. This organization, which develops methods of attacks on computer systems commissioned by government agencies, was itself hacked in 2015, as a result of which both internal correspondence and an extensive knowledge base got into the public domain.

Unfortunately, the researchers were unable to identify the UEFI infection method. Among the several dozen victims of MosaicRegressor, only two affected computers had a modified base bootloader. If you rely on the same leak from the Hacking Team, then it offers manual infection by connecting a USB flash drive to the computer, from which UEFI is loaded with a makeweight. The deleted UEFI patch cannot be ruled out, but it would require hacking the download and installation process of updates.

The spy module installed on the attacked computers connects to the command center and downloads the modules necessary for further work. For example, one of the mechanisms picks up recently opened documents, packs them into a password archive and sends them to the organizers. Another interesting point: for communication, both traditional methods of communication with control servers and work through a public mail service using the POP3S / SMTP / IMAPS protocol are used. Both modules are loaded and data is sent to the organizers of the attack via mail.

What else happened

The register reminds on the end of support by the mail server manufacturer Microsoft Exchange 2010. The authors of the article note that 139 thousand servers are currently available from the network, security updates for which will soon cease. A Threatpost writes that a vulnerability discovered in January in the Microsoft Exchange Control Panel (versions 2013–2019) has not yet been closed on 61% of servers.

HP Device Manager for this company’s thin client management software discovered a backdoor, or rather, a service account forgotten by the developer.

Despite Google’s efforts, Joker malware variants continue from time to time undergo verification of the Google Play app store. The malware, as a rule, subscribes victims to paid services without their knowledge.