Hacking Group Used Rare UEFI Bootkit for EspionageKaspersky: 'MosaicRegressor' Framework Targeted Nongovernment Organizations, Diplomats
A Chinese-speaking hacking group used a rare Unified Extensible Firmware Interface bootkit dubbed "MosaicRegressor" to target nongovernment organizations and diplomatic missions with an espionage campaign for two years, the security firm Kaspersky reports.
Unified Extensible Firmware Interface, or UEFI, helps initiate the booting sequence within a PC and loads the device's operating system. By exploiting this essential feature, the MosaicRegressor framework attempted to take over the device's booting process and could have downloaded multiple malware variants with data-gathering capabilities and created long-running persistence.
"A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded," according to Kaspersky. "Moreover, since it [the firmware] is typically shipped within SPI flash storage that is soldered to the computer's motherboard, such implanted malware will be resistant to [operating system] reinstallation or replacement of the hard drive."
The use of these types of bootkits by hackers is rare. Security firm ESET in 2018 uncovered a similar rootkit called LoJax, which was used to target government organizations in central and Eastern Europe and was believed to have been developed by sophisticated Russian hackers.
Connections to China?
In its new report on use of the MosaicRegressor bootkit, Kaspersky found the hacking group used it from 2017 to 2019 to target over a dozen diplomatic entities and NGOs in Africa, Asia and Europe. In many cases, the targets had links to North Korea, the report notes, but it's not clear what data may have been targeted or stolen during this time.
The Kaspersky researchers also found that MosaicRegressor's infrastructure appears to overlap with malware components previously associated with Chinese hackers.
"MosaicRegressor is a multistage and modular framework aimed at espionage and data gathering," Kaspersky analysts Mark Lechtik, Igor Kuznetsov and Yury Parshin note in the report. "Code artifacts in some of the framework's components and overlaps in [command and control] infrastructure used during the campaign suggest that a Chinese-speaking actor is behind these attacks, possibly having connections to groups using the Winnti backdoor."
The Kaspersky analysts say the MosaicRegressor framework has four key components. These were developed from the source code of a bootkit named VectorEDK, which was leaked in 2015, the report notes.
"The fact that the framework consists of multiple modules assists the attackers to conceal the wider framework from analysis and deploy components to target machines only on demand," according to the Kaspersky analysis.
The Kaspersky team uncovered the MosaicRegressor bootkit after the company's security tools spotted suspicious UEFI images in two devices used by an organization, according to the report. This led to the discovery of additional devices that contained traces of the framework that may have been targeted by the same hacking group.
The MosaicRegressor framework components include two DXE drivers, which are part of a device's firmware and help with the booting process, and two UEFI applications, including one called SmmAccessSub. This acts as the main dropper that allows the hacking group to load additional malware to the device, according to the report.
All four of these components are derived from the leaked VectorEDK source code but were updated and customized for this particular campaign, according to Kaspersky.
The researchers aren’t sure of the initial attack vector or how the framework may have been loaded onto a targeted device. One possibility is that someone needed physical access to the targeted PC to load the bootkit using a USB key, according to the report. The hacking group, however, may have installed the bootkit remotely by taking advantage of a vulnerability in a targeted device's BIOS, they add.
The bootkit may have more components than the four outlined in the report, the researchers say.
For instance, the report notes that a library called "load.rem" can act as a basic document and information stealer with the ability to fetch files from the "recent documents" directory of a device and archive them with a password. This is likely the final stage before data is exfiltrated and sent to the command and control server, according to Kaspersky.
The report also notes that other components can act as downloaders or droppers for other malicious payloads. For instance, one component installs in a device's Autorun registry values and then sets the stage to download secondary Dynamic Link Libraries that can further infect the PC and perform a variety of functions, according to the report.
Scott Scheferman, principal cyber strategist at security firm Eclypsium, notes that while still rare, these types of attacks targeting UEFI and other firmware found in a variety of devices will likely continue to grow, especially now that source code can be found online as Kaspersky chronicled in its report.
"This newly discovered campaign leveraged open source software found on GitHub that anyone has access to and can easily re-use," Scheferman tells Information Security Media Group. "As these types of toolkits proliferate and modern firmware continues down the path of increasing complexity, we can expect to find more payloads in UEFI and a myriad of other firmware used in endpoints, network and internet of things devices. Lack of visibility into firmware is another important reason for malicious actors to continue targeting firmware."