Skip to main content

This 'invisible' malware is nearly impossible to detect

(Image credit: Shutterstock.com)

Researchers at cybersecurity firm Kaspersky have discovered an advanced persistent threat (APT) espionage campaign that uses a rare form of malware that is incredibly difficult to detect and remove.

The malware, known as firmware bootkit, affects a computer’s Unified Extensive Firmware Interface (UEFI), which begins running before the operating system and other programs. 

This means that any installed security solutions won’t be up and running in time to detect it.

A rare threat

Although this particular form of malware is unusual, Kaspersky’s analysis found that it was not completely unique. The UEFI bootkit components used to insert malicious code into a user’s device were largely based on the Vector-EDK bootkit, which was originally created by Hacking Team and leaked online in 2015. This code was likely then used as the basis for the newly-discovered malware, which Kaspersky has dubbed: 'MosaicRegressor'.

“Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publicly known case where a threat actor used a custom made, malicious UEFI firmware in the wild,” Mark Lechtik, senior security researcher for the Global Research and Analysis Team at Kaspersky, explained. 

“Previously known attacks observed in the wild simply repurposed legitimate software (for instance, LoJax), making this the first in the wild attack leveraging a custom made UEFI bootkit.”

Kaspersky was not able to determine the exact method used by attackers to infect a user’s device but have narrowed the infection vector down to two likely options. The first involves gaining physical access to a victim’s computer, using a bootable USB key to install a Trojan-downloader. The second, and likely most common method, is a simple spearphishing delivery that installs a Trojan-downloader that can then be used to gather information from the infected device.

The MosaicRegressor malware campaign has not been linked conclusively to any known cyberattack group but Kaspersky was able to connect some of the attacks to Russian spearphishing documents, while all of the victims, many of which were diplomats or worked for NGOs, had some connection to North Korea.