Security News > 2020 > October > Rare Bootkit Malware Targets North Korea-Linked Diplomats

Rare Bootkit Malware Targets North Korea-Linked Diplomats
2020-10-05 17:12

Kaspersky observed several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019 - all of whom had ties to North Korea.

"UEFI firmware makes for a perfect mechanism of persistent malware storage," Kaspersky researchers explained.

Delving even deeper, they found that the components were all based on a customized version of the leaked source code of HackingTeam's VectorEDK bootkit.

It's used as a first-stage tool to deploy the main bootkit component, SmmAccessSub, later on in the attack chain.

Kaspersky did uncover one example of a late-stage component, an info-stealer called "Load.rem." It fetches files from the "Recent Documents" directory and archives them with a password, "Likely as a preliminary step before exfiltrating the result to the C2 by another component," according to Kaspersky.


News URL

https://threatpost.com/bootkit-malware-north-korea-diplomats/159846/