A firmware bootkit has been spotted in the wild, targeting diplomats and members of non-governmental organizations (NGOs) from Africa, Asia and Europe. It has turned out to be part of a newly uncovered framework called MosaicRegressor.
According to researchers from Kaspersky, code artifacts in some of the framework’s components and overlaps in command-and-control (C2) infrastructure suggest that a Chinese-speaking group with connections to the Winnti backdoor is behind the attacks.
Kaspersky observed several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019 – all of whom had ties to North Korea.
“Based on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK, be it non-profit activity related to the country or actual presence within it,” Kaspersky said.
This focus on North Korea-related victims was reinforced by emails used to deliver the malware. These contained self-extracting (SFX) archives pretending to be documents discussing various subjects related to North Korea. Those were bundled with both an actual document and MosaicRegressor variants, both of which execute when the archive is opened.
Modifying UEFI Malware
Initially, the researchers discovered rogue UEFI firmware images within Kaspersky’s telemetry that were modified from their benign counterparts to incorporate several malicious modules.
“The modules were used to drop malware on the victim machines,” researchers explained, in a posting on Monday. “This malware was part of a wider malicious framework that we dubbed MosaicRegressor.”
UEFI is a specification that constitutes the structure and operation of low-level platform firmware, including the loading of the operating system itself. It can also be used when the OS is already up and running, for example in order to update the firmware.
“UEFI firmware makes for a perfect mechanism of persistent malware storage,” Kaspersky researchers explained. “A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded.”
A deeper inspection revealed that the malicious firmware images contained four components: Two [driver execution environment] DXE drivers and two UEFI applications. Delving even deeper, they found that the components were all based on a customized version of the leaked source code of HackingTeam’s VectorEDK bootkit.
“The goal of these added modules is to invoke a chain of events that would result in writing a malicious executable named ‘IntelUpdate.exe’ to the victim’s Startup folder,” according to the research. “Thus, when Windows is started, the written malware would be invoked as well.”
The team wasn’t able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware. However, options include physical access to the victim’s machine, using a malicious USB key with a special update utility, or a remote infection, perhaps through a compromised update mechanism.
“Such a [remote] scenario would typically require exploiting vulnerabilities in the BIOS update authentication process,” researchers said.
4 Components
One of the two uncovered DXE drivers is named Ntfs. It’s called such because it’s used to detect and parse the NT File System (NTFS), in order to conduct file and directory operations on the disk.
SmmReset meanwhile is a UEFI application intended to mark the firmware image as infected.
“This is done by setting the value of a variable named ‘fTA’ to a hard-coded [globally unique identifier] GUID,” researchers said. “The application is based on a component from the original Vector-EDK code base that is named ‘ReSetfTA.'”
The second DXE driver is called SmmInterfaceBase, and is based on Hacking Team’s “rkloader” component. It’s used as a first-stage tool to deploy the main bootkit component, SmmAccessSub, later on in the attack chain.
“This is done by registering a callback that will be invoked upon an event of type EFI_EVENT_GROUP_READY_TO_BOOT. The event occurs at a point when control can be passed to the operating system’s bootloader, effectively allowing the callback to take effect before it. The callback will in turn load and invoke the ‘SmmAccessSub’ component,” according to the research.
SmmAccessSub serves as a persistent dropper for a user-mode malware, and takes care of writing a binary embedded within it as a file named ‘IntelUpdate.exe’ to the startup directory on disk. This allows the binary to execute whenever Windows is up and running.
“This is the only proprietary component amongst the ones we inspected, which was mostly written from scratch and makes only slight use of code from a Vector-EDK application named ‘fsbg,'” researchers wrote.
SmmAccessSub Component
SMMAccessSub runs through a series of actions that culminate in dropping the IntelUpdate.exe file to disk, Kaspersky explained.
First, it bootstraps pointers for the SystemTable, BootServices and RuntimeServices global structures, and uncovers the currently loaded UEFI image. The module then attempts to find the root drive in which Windows is installed, and makes sure that the \Windows\System32 directory is present.
“A global EFI_FILE_PROTOCOL object that corresponds to the drive will be created at this point and referenced to open any further directories or files in this drive,” researchers said.
The module also looks for a marker file named ‘setupinf.log’ under the Windows directory and proceeds only if it doesn’t exist. It then creates a file with the same name, and goes on to check if the “Users” directory exists under the same drive.
If that directory exists, it writes the IntelUpdate.exe file (embedded in the UEFI application’s binary) under the ProgramData\Microsoft\Windows\Start Menu\Programs\Startup directory in the root drive.
The MosaicRegressor Framework
The IntelUpdate executable unpacks a new piece of malware, a downloader, which hadn’t been seen in the wild before, Kaspersky said. The analysts however were able to use code fingerprints to determine that the binary belongs to a wider, multi-stage and modular framework called MosaicRegressor.
This is “a framework aimed at espionage and data-gathering,” explained the researchers. “It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines….we were able to obtain only a handful of payload components during our investigation.”
Most of the components are merely downloaders that fetch other payloads. For instance, one installs in the autorun registry values and acts as another loader for components that themselves are also just intermediate loaders for the next stage DLLs.
Researchers said that this modular nature of the framework allows the attackers to conceal the wider framework from analysis, and deploy components to target machines only on demand.
Kaspersky did uncover one example of a late-stage component, an info-stealer called “load.rem.” It fetches files from the “Recent Documents” directory and archives them with a password, “likely as a preliminary step before exfiltrating the result to the C2 by another component,” according to Kaspersky.
Chinese-Language Attribution
Kaspersky suspects the threat actor to be Chinese-speaking, based on several pieces of forensic evidence.
For instance, certain strings used in the system-information log contain a Unicode character that appears to be translated from either the Chinese or Korean code pages. Also, the researchers found a file resource in some of the samples that contained a language identifier set to 2052 (“zh-CN”). They also uncovered the use of an OLE2 object-builder commonly used by Chinese-speaking threat actors.
Meanwhile, one of the C2 addresses used by one of MosaicRegressor’s variants has been observed in the past being used by the Winnti umbrella and linked groups, which are APTs that have been linked to the Chinese government.
“It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it…and the high stakes of burning sensitive toolset or assets when doing so. With this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.