Connect with us

Hi, what are you looking for?


China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks


A risk actor linked to China has used UEFI malware based mostly on code from Hacking Staff in assaults aimed toward organizations with an curiosity in North Korea, Kaspersky reported on Monday.

Kaspersky researchers analyzed the malware and the malicious exercise after stumbling upon a number of suspicious UEFI firmware pictures. A deeper investigation revealed the existence of 4 elements, a lot of which had been based mostly on supply code leaked in 2015 by a hacker who had breached the programs of the now-defunct Italian surveillance options supplier Hacking Staff. The firmware implant seemed to be based mostly on code related to the Vector-EDK bootkit, with just some minor modifications.

Kaspersky has not been capable of decide how the attackers managed to rewrite the firmware on focused machines. Nevertheless, contemplating that the firmware implant is predicated on Hacking Staff code, it’s potential that deployment concerned bodily entry to the focused machine and attaching a USB key — Hacking Staff’s Vector-EDK bootkit was designed to be deployed through a USB key.

“After all, we can not exclude different potentialities whereby rogue firmware was pushed remotely, maybe via a compromised replace mechanism. Such a state of affairs would usually require exploiting vulnerabilities within the BIOS replace authentication course of. Whereas this could possibly be the case, we don’t have any proof to help it,” Kaspersky researchers stated.

The implant’s primary bootkit part is designed to behave as a persistent dropper for a bit of Home windows malware. This permits the attackers to make sure that the Home windows malware can’t be faraway from the compromised system — the malware is rewritten to disk if eliminated, except the malicious firmware can also be eliminated.

The malware delivered by the bootkit was decided to be a variant from a framework that Kaspersky has dubbed MosaicRegressor, which is designed for espionage. The framework is modular, enabling the attackers to hold out varied duties, reminiscent of stealing paperwork from the compromised pc.

Kaspersky detected MosaicRegressor elements at “a number of dozen” entities between 2017 and 2019. Victims included NGOs and diplomatic entities in Asia, Africa and Europe, and one factor they’d in widespread was a connection to North Korea — in some instances they’d a presence within the nation, whereas others had been concerned in non-profit exercise associated to North Korea. Nevertheless, solely two of those victims had been focused with the UEFI implant.

Proof uncovered by Kaspersky means that the hackers behind these assaults are Chinese language audio system, and a connection has been discovered to Winnti, however no definitive hyperlinks have been discovered to a identified risk actor.

There aren’t too many identified assaults involving UEFI malware. ESET reported in 2018 that the Russia-linked risk group Fancy Bear had been utilizing a UEFI rootkit in its assaults.

Associated: Meet MBR-ONI, Bootkit Ransomware Used as a Focused Wiper

Associated: Russian Hackers Utilizing Bootkit to Steal Fee Information

China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks
China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks
China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in pc strategies utilized in electrical engineering.

Earlier Columns by Eduard Kovacs:
China-Linked Hackers Used UEFI Malware in North Korea-Themed AttacksTags:

You May Also Like


Introduction In previous articles we have talked about images of dockers, the origin and functioning of dockers and the dockers’ hub. In this document...


Linux desktops are good in many ways, but like Windows they are not known as the most efficient battery. This does not mean that...


The United States Supreme Court has indicated that it will finally solve a problem that has been causing legal problems for almost two decades:...


To secure your AWS assets, follow these AWS Identity and Access Management (IAM) guidelines. Locking the Root User Access Key for AWSAccount You use...