Security News > 2020 > October > Rare Bootkit Malware Targets North Korea-Linked Diplomats
Kaspersky observed several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019 - all of whom had ties to North Korea.
"UEFI firmware makes for a perfect mechanism of persistent malware storage," Kaspersky researchers explained.
Delving even deeper, they found that the components were all based on a customized version of the leaked source code of HackingTeam's VectorEDK bootkit.
It's used as a first-stage tool to deploy the main bootkit component, SmmAccessSub, later on in the attack chain.
Kaspersky did uncover one example of a late-stage component, an info-stealer called "Load.rem." It fetches files from the "Recent Documents" directory and archives them with a password, "Likely as a preliminary step before exfiltrating the result to the C2 by another component," according to Kaspersky.
News URL
https://threatpost.com/bootkit-malware-north-korea-diplomats/159846/
Related news
- Five charged for cyber schemes to benefit North Korea's weapons program (source)
- Five charged for cyber schemes to benefit North Korea's weapons program (source)
- Five charged for cyber schemes to benefit North Korea's weapons program (source)
- North Korea building cash reserves using ransomware, video games (source)