It's a silent and deadly threat long dreaded by security experts: malware entrenched in the firmware of modern computer chips that can't be expelled by reinstalling the operating system or even wiping or replacing the hard drive.
These mostly invisible firmware rootkit — aka bootkit — attacks thus far have been very rare, but researchers at Kaspersky have discovered one in the wild. The custom rootkit compromised the Unified Extensible Firmware Interface (UEFI) in computer chips that handles system booting and loading the operating system. The malware implant, which was just one module found in a larger attack framework Kaspersky named MosaicRegressor, appears to be written by a Chinese-speaking actor, based on several artifacts and language clues in it, the researchers say.
The attackers pointed MosaicRegressor at African, Asian, and European diplomatic and nongovernmental organizations between 2017 and 2019. Two victims of were found with the UEFI bootkit infection. All of the targets had some link to North Korea interests, either as nonprofits focused on the country or with locations there.
This is only the second known case of a bootkit attack: The first, revealed two years ago by ESET, was used by the Russian nation-state hacking group Fancy Bear, aka Sednit/Sofacy/APT28, best known for its 2016 attack on the Democratic National Committee. The so-called LoJax malware basically mimicked Absolute Software's LoJack computer anti-theft software embedded in many machines, exploiting the flaws in the BIOS of victim machines and then dropping the bootkit on them.
"That was truly a significant finding," said Mark Lechtik, senior security researcher at Kaspersky, who along with colleague Igor Kuznetsov detailed their research at Kaspersky's SAS@Home virtual event this week. What sets this second UEFI rootkit apart from the previous one, Lechtik said, is that's a customized version of one developed by HackingTeam, the controversial zero-day exploit development firm out of Italy known for selling advanced attack modules to governments.
HackingTeam itself got hacked and doxed five years ago, and much of its code, including that of a UEFI rootkit, is now living on GitHub for researchers and attackers alike to experiment with.
"There was actually no evidence of [the HackingTeam rootkit's] usage in the wild" until now, Lechtik said.
It was only a matter of time that an advanced threat group would employ the UEFI bootkit tool from HackingTeam. Jesse Michael, principal security researcher with Eclypsium, says he's built proof-of-concept versions of the code in his own research to prove and study how it could be weaponized.
Bootkits are all about dwell time for an attacker, he says, even though they have not yet been widely used to date. This malware found by Kaspersky is based on "pretty simple code," he says, and has plenty of room for enhancement. "There's a lot you can do to take advantage of " the UEFI bootkit, he says. "This just scratches the surface."
The Kaspersky researchers say they weren't able to pinpoint how the attackers were able to plant the bootkit on the victim machines and rewrite the legitimate UEFI firmware. They point to two possible scenarios: physical access to the victim machine akin to Hacking Team's USB key tool. "Such a USB would contain a special update utility that can be generated with a designated builder provided by the company. We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well," they wrote in a blog post.
Another option is via a remotely installed "patch" of the firmware with the malicious code. That would entail attacking the BIOS update authentication process to pull off.
The bootkit's main job is to deploy malware in a targeted file directory, Lechtik said. "So when the operating system starts, this malware file will be executed."
The attackers also appeared to have used the Winnti backdoor, a popular tool among Chinese nation-state groups. Kuznetsov said he and the team were able to get one of the DLL files, which turned out to be an information-stealing tool that had archived the contents of the recently accessed documents folder. "It suggested the whole campaign was related to espionage activities. But we don't have evidence to have any clues about what is actually the target" information, he said. MosaicRegressor has no known ties to any other threat groups that Kaspersky tracks.
Fighting the Invisible Enemy
It's not easy to even track these types of attacks because there's little visibility into them, researchers say. So, how do you protect against a bootkit attack?
Encrypting the hard drive itself is one way to defend against such an attack, using Microsoft's BitLocker, for example, Kaspersky says. There's also Secure Boot, a feature supported on most modern computers that allows only securely signed firmware and software to boot up and run on a machine. Intel offers in its microprocessors the Secure Boot-based Intel Boot Guard, which protects UEFI firmware from tampering and malware.
"But if the motherboard is misconfigured and protections are not in place — if Boot Guard is not turned on — there are huge problems for any platform" that gets targeted, Kuznetsov said.
Michael says he worries that the bootkit capability ultimately be deployed in even more sophisticated attacks. For example, an attacker could watch and wait for a system protected by BitLocker to unlock, and then "patch" the system with bootkit malware.