The Unified Extensible Firmware Interface (UEFI) is the application that life on your computer’s motherboard. It is the first matter to flip on when you boot up the system, and that enables it accessibility to almost each individual component of the operating system. It will also persist soon after reboots, formats, and even system part substitute. Given that the UEFI resides on a flash memory chip soldered to the board, it’s really really hard to inspect for malware and even harder to purge.
So, if you want to very own a system and minimize the likelihood of having caught, UEFI malware is the way to go. The problem is that it’s really tricky to get malicious code into UEFI methods. However, Kaspersky integrated a special firmware scanner into its antivirus products in 2019. Now, the agency states it has detected the second regarded instance of UEFI malware, which it phone calls MosaicRegressor.
The an infection was discovered on just two computer systems, both belonging to diplomatic officials in Asia. The whole exploit chain is extensive and assorted, allowing for the attackers to load a number of modules to command the concentrate on system and steal information. On the other hand, it all commences with the UEFI loader. On each boot, MosaicRegressor checks to see if its malicious “IntelUpdate.exe” file is in the Windows startup folder. If not, it adds the file. This is the gateway to all the other horrible matters MosaicRegressor can do. We never even know the whole extent of the operation’s capabilities, as Kaspersky was only ready to seize a handful of the malware modules. The crew has confirmed MosaicRegressor can exfiltrate files from the contaminated methods, even though.
Kaspersky researchers observe that the assault appears to arrive from a Chinese-talking person or group — it may be a device formulated by the Chinese federal government for all we know. Kaspersky was not able to figure out how the unique UEFI code was altered, but the crew made some educated guesses dependent on a piece of 2015 UEFI malware. That exploit needed physical accessibility to the device, earning it unlikely any person other than the targets would get contaminated. That implies a expert operation orchestrated by an intelligence company, but we’re unlikely to at any time get confirmation of that.