MosaicRegressor APT campaign using rare malware variant

Cyber security researchers at sector giant Kaspersky have warned of an advanced persistent threat (APT) campaign, dubbed MosaicRegressor, that is using a rarely seen variety of malware known as a firmware bootkit to establish persistence on target computers.

The malware has been used in targeted attacks – described as a complex and multi-stage modular framework used for espionage and data exfiltration – aimed at diplomats and non-governmental organisation (NGO) staffers from Africa, Asia and Europe. While Kaspersky posited a link to either North Korea or Russia, the campaign cannot yet be linked with confidence to any known actors.

Identified by Kaspersky’s scanners, the malware was found lurking in the Unified Extensible Firmware Interface (UEFI) of its target computer, which makes it particularly dangerous.

This is because the UEFI is an essential part of a machine that begins to run before the actual operating system (OS) on boot, which means that if its firmware can be modified to contain malicious code, said code will also launch before the OS, making it potentially invisible to any installed security solutions.

In addition, the fact that UEFI firmware resides on a flash chip separate to the hard drive makes attacks against it highly evasive and persistent because regardless of how many times the OS is reinstalled, the malware will remain on the device.

“Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publicly known case where a threat actor used a custom made, malicious UEFI firmware in the wild,” said Kaspersky Global Research and Analysis Team (GReAT) senior security researcher, Mark Lechtik.

“Previously known attacks observed in the wild simply repurposed legitimate software (for instance, LoJax), making this the first in the wild attack leveraging a custom made UEFI bootkit.

“This attack demonstrates that, albeit rarely, in exceptional cases actors are willing to go to great lengths to gain the highest level of persistence on a victim’s machine. Threat actors continue to diversify their toolsets and become more and more creative with the ways they target victims – and so should security vendors, to stay ahead of the perpetrators.

“Thankfully, the combination of our technology and understanding of the current and past campaigns leveraging infected firmware helps us monitor and report on future attacks against such targets,” he said.

Kaspersky said the custom bootkit components were found to be based on the VectorEDK bootkit developed by Hacking Team, which leaked five years ago. Kaspersky said it suspected the actors behind the MosaicRegressor campaign were able to use the leaked code to build their own software quite easily.

“The use of leaked third-party source code and its customisation into a new advanced malware once again raises yet another reminder of the importance of data security. Once software – be it a bootkit, malware or something else – is leaked, threat actors gain a significant advantage,” said Igor Kuznetsov, GReAT principal security researcher.

“Freely available tools provide them with an opportunity to advance and customise their toolsets with less effort and lower chances of being detected,” he said.

Kaspersky said it had not detected the exact infection vector that let the group overwrite the original UEFI firmware, but based on what it already known about VectorEDK, suggested that infections may have been possible with physical access to the target machine, specifically with a bootable USB key containing an update utility which would patch the firmware to make it install a trojan downloader.

An alternative and more likely scenario is that the MosaicRegressor components were delivered using spearphishing delivery of a malware dropper hidden in an archive, alongside a decoy file.