Kaspersky security researchers have discovered a rootkit in the wild that infects Unified Extensible Firmware Interface (UEFI) firmware, which is essentially a modern BIOS. This is the second time that malicious UEFI firmware has been confirmed to be used by threat actors in the wild. This is the second time we have seen malicious UEFI firmware being used by threat actors in the wild, in this case through targeted attacks against NGOs in Africa, Asia, and Europe.

Rootkits are also highly resistant to traditional detection and removal methods: by infecting the UEFI, the malware is loaded while the PC is being initialized, giving the operating system and anti-virus software the opportunity to intervene and stop the malicious activity to stop the malicious activity. But this is only part of the problem. Because the rootkit resides in the BIOS/UEFI, the PC remains infected even if the OS is reinstalled or the storage drive is completely replaced.

Kaspersky has named this particular rootkit strain MosaicRegressor. This rootkit was discovered during an investigation of several suspicious UEFI firmware images. Kaspersky discovered that several components of this rootkit were based on the leaked source code of HackingTeam's VectorEDK bootkit, with a few modifications and modules added into the mix.

"The purpose of these additional modules is to invoke a series of events that write a malicious executable file called 'IntelUpdate.exe' to the victim's startup folder. Thus, when Windows starts up, the written malware is also launched. Apart from that, this module makes sure that when the malware file is deleted from the disk, it is rewritten," Kaspersky said.

Kaspersky is not sure exactly how MosaicRegressor is on the loose; one possibility is that an attacker has physical access to the target PC and installs it from a USB flash drive.

"Such a USB should contain a special update utility that can be generated by a designated builder provided by the company. Kaspersky states, "We found the Q-flash update utility in the firmware we examined.

While this is the simplest method, Kaspersky does not rule out the possibility of a remote attack. While there is no evidence that this has actually happened, it is still a possibility.

While the average user probably does not need to worry about MosaicRegressor, it is still a bit concerning that it exists. This could potentially intensify the attacker's focus on similar attacks. In theory, anyway. In practice, malware actors are most likely to stick to tried-and-true methods such as ransomware.

Thanks, Bleeping Computer [17].