Security News > 2020 > October > UEFI malware rears ugly head again: Kaspersky uncovers campaign with whiff of China

Russian antivirus maker Kaspersky has said it uncovered "Rogue UEFI firmware images" seemingly developed by black hats with links to China.

The firm explained that UEFI firmware is "Typically shipped within SPI flash storage that is soldered to the computer's motherboard", and thus any malware injected into it is "Resistant to OS reinstallation or replacement of the hard drive." The technique shot to public prominence in 2015 when malware-for-governments purveyor Hacking Team was itself hacked, with details of its firmware-level spyware becoming public knowledge.

The malware-laden MosaicRegressor images were discovered in use as part of a wider campaign targeting charities in Africa, Asia, and Europe, "All showing ties in their activity to North Korea" - though Kaspersky attributed the malicious software to "a Chinese-speaking" person or group, possibly connected to the Winnti hacking crew.

Among other components Kaspersky found were "a DXE driver that is based on Hacking Team's 'rkloader' component," and a Hacking Team driver called ntfs among others.

Kaspersky noted it was unable to find out exactly how the malicious firmware images were injected into victims' computers: the data could have been inserted while the equipment was in transit, or at the factory, or installed by malware running on the machine, and so on.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/10/05/uefi_rootkit_kaspersky_china/