• Politics
  • Business
  • World
  • Science
  • Startup
  • Health
  • Travel
  • Economy
  • Top Story
Aryavarth News
  • Home
  • Politics
  • City News
  • Top Story
  • Editorial
Wednesday, February 8, 2023
No Result
View All Result
Aryavarth News
No Result
View All Result

China Is Using New Computer Virus To Spy on Diplomats, It Survives Windows OS reinstalls

China Is Using New Computer Virus To Spy on Diplomats, It Survives Windows OS reinstalls
6.6k
VIEWS
Share on WhatsappShare on FacebookShare on TwitterShare on Telegram

BANGKOK (Aryavarth) Security firm Kaspersky Lab uncovered the malware, which exploits a computer’s UEFI (Unified Extensible Firmware Interface) to continually persist on a Windows machine.

Attacking the UEFI is pretty alarming because the software is used to boot up your computer and load the operating system. It also operates separately from your computer’s main hard drive, and usually resides in the motherboard’s SPI flash memory as firmware. As a result, any malicious process embedded in the UEFI can survive an operating system reinstall while evading traditional antivirus solutions.

RelatedPosts

WHO team visits animal disease center in Wuhan, China

Enforcement Directorate (ED) arrests two Chinese nationals

War With China Cannot Be Ruled Out – Says Chief of Defence Staff General Bipin Rawat

“This attack demonstrates that, albeit rarely, in exceptional cases, actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine,” said Kaspersky Lab researcher Mark Lechtik in a statement.

The company discovered the UEFI-based malware on machines belonging to two victims. It works to create a Trojan file called “IntelUpdate.exe” in the Startup Folder, which will reinstall itself even if the user finds it and deletes it.

“Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware,” Kaspersky Lab said.

The malware’s goal is to deliver other hacking tools on the victim’s computer, including a document stealer, which will fetch files from the “Recent Documents” directory before uploading them to the hacker’s command and control server.

Kaspersky Lab refrained from naming the victims, but said the culprits have been going after computers belonging to “diplomatic entities and NGOs in Africa, Asia, and Europe.” All the victims have some connection to North Korea, be it through non-profit activities or an actual presence in the country.

While looking over the malware’s computer code, Kaspersky Lab also noticed the processes can reach out to a command and control server previously tied to a suspected Chinese state-sponsored hacking group known as Winnti. In addition, the security firm found evidence the creators behind the malware used the Chinese language while programming the code.

Still, Kaspersky Lab is refraining from calling out a specific group for the attacks. “Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks,” Kaspersky Lab added.

It remains unclear how the UEFI-based malware was delivered, and which PC models are vulnerable to the attack. Kaspersky Labs notes that manipulating the UEFI is difficult because it requires knowledge of the machine’s firmware and ways to exploit the SPI flash chip onboard.

However, the security firm noticed the UEFI-based malware was created with the help of leaked documents from an Italian surveillance company called Hacking Team. In 2015, the company had its files stolen and dumped online, which showed Hacking Team was also working on a UEFI-based attack capable of infecting Asus X550C and Dell Latitude E6320 models through a USB thumb drive.

“Of course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism,” Kaspersky Lab added. “Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don’t have any evidence to support it.”

To remove the malware, Kaspersky Lab said a victim would need to update a motherboard’s firmware to a legitimate version.

This is the second time security researchers have uncovered malware designed to exploit the UEFI. In 2018, antivirus vendor ESET reported a separate instance of UEFI-based malware, dubbed Lojax, which may have come from Russian state-sponsored hackers.

In Kaspersky Lab’s case, the company discovered the UEFI-based malware thanks to the company’s firmware scanner, which it began implementing last year. The mysterious culprit behind the malware has also been found preying on victims using phishing emails. However, none of the phishing emails were found delivering the UEFI-based attack.

Tags: Boycott China
SendShare609Tweet381Share

Related Posts

China Coronavirus

WHO team visits animal disease center in Wuhan, China

February 2, 2021
Enforcement Directorate (ED) arrests two Chinese nationals

Enforcement Directorate (ED) arrests two Chinese nationals

January 18, 2021
Declare China Startup Investment as "ENEMY PROPERTY

War With China Cannot Be Ruled Out – Says Chief of Defence Staff General Bipin Rawat

November 7, 2020

“Anti-Chinese Imperialism Day”Protest Taken Out in Lucknow by Sanjay Shukla

Aryavarth News

Copyright © 2022 Aryavarth Publication Pvt Ltd.

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Politics
  • Business
  • World
  • Science
  • Startup
  • Health
  • Travel
  • Economy
  • Top Story

Copyright © 2022 Aryavarth Publication Pvt Ltd.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.