The Unified Extensible Firmware Interface (UEFI) is the computer software that life on your computer’s motherboard. It is the 1st issue to convert on when you boot up the program, and that allows it access to virtually every component of the operating program. It will also persist just after reboots, formats, and even program ingredient alternative. Since the UEFI resides on a flash memory chip soldered to the board, it’s incredibly hard to examine for malware and even more difficult to purge.
So, if you want to personal a program and decrease the chance of acquiring caught, UEFI malware is the way to go. The issue is that it’s incredibly difficult to get malicious code into UEFI units. Even now, Kaspersky built-in a special firmware scanner into its antivirus goods in 2019. Now, the company states it has detected the 2nd identified occasion of UEFI malware, which it calls MosaicRegressor.
The infection was uncovered on just two desktops, equally belonging to diplomatic officials in Asia. The whole exploit chain is extensive and different, enabling the attackers to load various modules to manage the focus on program and steal data. However, it all commences with the UEFI loader. On just about every boot, MosaicRegressor checks to see if its malicious “IntelUpdate.exe” file is in the Windows startup folder. If not, it provides the file. This is the gateway to all the other terrible issues MosaicRegressor can do. We really do not even know the whole extent of the operation’s capabilities, as Kaspersky was only in a position to capture a handful of the malware modules. The crew has confirmed MosaicRegressor can exfiltrate files from the contaminated units, while.
Kaspersky researchers observe that the attack appears to arrive from a Chinese-speaking person or group — it may possibly be a device made by the Chinese government for all we know. Kaspersky was unable to decide how the initial UEFI code was altered, but the crew manufactured some educated guesses based mostly on a piece of 2015 UEFI malware. That exploit needed bodily access to the device, creating it not likely any person other than the targets would get contaminated. That implies a specialist operation orchestrated by an intelligence company, but we’re not likely to at any time get affirmation of that.