Kaspersky Labs discovers sophisticated UEFI Malware

The Unified Extensible Firmware Interface (UEFI) is the software that is a part of your system’s MBO or computer motherboard. UEFI firmware is stored on a flash memory chip soldered to the motherboard and has access to almost every part of your operating system. It stays persistent after each reboot, format, or even any component replacement.

With this said it’s not hard to figure why hackers started targeting UEFI for malware injections even though it’s very challenging to insert malicious code into the UEFI system.

Kaspersky LABS has implemented a special UEFI firmware into its antivirus products back in 2019 that was now used to detect the second known instance of UEFI malware named MosaicRegressor. The MosaicRegressor exploit that was discovered on two computers belonging to diplomatic officials in Asia allows attackers to load multiple modules in order to control the target system and steal data from the victims.

After each system boot, MosaicRegressor checks if a malicious IntelUpdate.exe file is located in the Windows startup folder. If not, this file is added automatically. With the IntelUpdate.exe process started, the attacker gets access to the full extent of the operating system capabilities. Kaspersky team has confirmed that MosaicRegressor can be used to export documents from the infected systems even though more research has to be done to detect its full power.

Kaspersky could not tell how the original UEFI firmware was altered, but it appears that the exploit required physical access to the machine so it is probably orchestrated by an intelligence agency. Since the exploit required physical access to the machine it is highly unlikely that anyone will get infected other than targeted machines.