Security News > 2021 > September > FinFisher malware hijacks Windows Boot Manager with UEFI bootkit
Commercially developed FinFisher malware now can infect Windows devices using a UEFI bootkit that it injects in the Windows Boot Manager.
"During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager replaced with a malicious one," Kasperksy researchers revealed today.
"This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence."
UEFI firmware allows for highly persistent bootkit malware as it's installed within SPI flash storage soldered to computers' motherboard making it impossible to get rid of via hard drive replacement or even OS re-installation.
They provide attackers with control over an operating systems' boot process and make it possible to sabotage OS defenses bypassing the Secure Boot mechanism since it depends on the firmware's integrity.
"While in this case the attackers did not infect the UEFI firmware itself, but its next boot stage, the attack was particularly stealthy, as the malicious module was installed on a separate partition and could control the boot process of the infected machine," the researchers added.
News URL
Related news
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
- Researchers discover first UEFI bootkit malware for Linux (source)
- BootKitty UEFI malware exploits LogoFAIL to infect Linux systems (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools (source)