BANGKOK (Aryavarth) Security firm Kaspersky Lab uncovered the malware, which exploits a computer’s UEFI (Unified Extensible Firmware Interface) to continually persist on a Windows machine.
Attacking the UEFI is pretty alarming because the software is used to boot up your computer and load the operating system. It also operates separately from your computer’s main hard drive, and usually resides in the motherboard’s SPI flash memory as firmware. As a result, any malicious process embedded in the UEFI can survive an operating system reinstall while evading traditional antivirus solutions.
“This attack demonstrates that, albeit rarely, in exceptional cases, actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine,” said Kaspersky Lab researcher Mark Lechtik in a statement.
The company discovered the UEFI-based malware on machines belonging to two victims. It works to create a Trojan file called “IntelUpdate.exe” in the Startup Folder, which will reinstall itself even if the user finds it and deletes it.
“Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware,” Kaspersky Lab said.
The malware’s goal is to deliver other hacking tools on the victim’s computer, including a document stealer, which will fetch files from the “Recent Documents” directory before uploading them to the hacker’s command and control server.
Kaspersky Lab refrained from naming the victims, but said the culprits have been going after computers belonging to “diplomatic entities and NGOs in Africa, Asia, and Europe.” All the victims have some connection to North Korea, be it through non-profit activities or an actual presence in the country.
While looking over the malware’s computer code, Kaspersky Lab also noticed the processes can reach out to a command and control server previously tied to a suspected Chinese state-sponsored hacking group known as Winnti. In addition, the security firm found evidence the creators behind the malware used the Chinese language while programming the code.
Still, Kaspersky Lab is refraining from calling out a specific group for the attacks. “Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks,” Kaspersky Lab added.
It remains unclear how the UEFI-based malware was delivered, and which PC models are vulnerable to the attack. Kaspersky Labs notes that manipulating the UEFI is difficult because it requires knowledge of the machine’s firmware and ways to exploit the SPI flash chip onboard.
However, the security firm noticed the UEFI-based malware was created with the help of leaked documents from an Italian surveillance company called Hacking Team. In 2015, the company had its files stolen and dumped online, which showed Hacking Team was also working on a UEFI-based attack capable of infecting Asus X550C and Dell Latitude E6320 models through a USB thumb drive.
“Of course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism,” Kaspersky Lab added. “Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don’t have any evidence to support it.”
To remove the malware, Kaspersky Lab said a victim would need to update a motherboard’s firmware to a legitimate version.
This is the second time security researchers have uncovered malware designed to exploit the UEFI. In 2018, antivirus vendor ESET reported a separate instance of UEFI-based malware, dubbed Lojax, which may have come from Russian state-sponsored hackers.
In Kaspersky Lab’s case, the company discovered the UEFI-based malware thanks to the company’s firmware scanner, which it began implementing last year. The mysterious culprit behind the malware has also been found preying on victims using phishing emails. However, none of the phishing emails were found delivering the UEFI-based attack.