Security News > 2020 > October > Rare Bootkit Malware Targets North Korea-Linked Diplomats
Kaspersky observed several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019 - all of whom had ties to North Korea.
"UEFI firmware makes for a perfect mechanism of persistent malware storage," Kaspersky researchers explained.
Delving even deeper, they found that the components were all based on a customized version of the leaked source code of HackingTeam's VectorEDK bootkit.
It's used as a first-stage tool to deploy the main bootkit component, SmmAccessSub, later on in the attack chain.
Kaspersky did uncover one example of a late-stage component, an info-stealer called "Load.rem." It fetches files from the "Recent Documents" directory and archives them with a password, "Likely as a preliminary step before exfiltrating the result to the C2 by another component," according to Kaspersky.
News URL
https://threatpost.com/bootkit-malware-north-korea-diplomats/159846/
Related news
- US govt says North Korea stole over $659 million in crypto last year (source)
- Crypto klepto North Korea stole $659M over just 5 heists last year (source)
- I'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice (source)
- North Korea targets crypto developers via NPM supply chain attack (source)