UEFI Bootkit Targeting Organizations
A Chinese hacking group used a rare UEFI bootkit called MosaicRegressor to target organizations and diplomatic missions for two years according to Kaspersky. UEFI initiates the boot sequence in a PC and loads the device's operating system. By exploiting this feature, the MosaicRegressor framework takes over the booting process. The group modified the firmware in order to deploy malicious code that will be run after the operating system is loaded. Since the firmware is typically shipped within SPI flash storage soldered to the motherboard, this type of malware is resistant to OS reinstallation and hard drive replacement.
The MosaicRegressor framework has four key components. They all come from modifying the VectorEDK bootkit source code. The multiple modules help the hackers to hide the framework from analysis. MosaicRegressor framework includes two DXE drivers, which are part of a device's firmware. This helps the booting process. There are also two UEFI applications, including one called SmmAccessSub which allows the hackers to load additional malware to the device.
The use of bootkits by hackers is rare. Security firm ESET in 2018 found a similar bootkit called LoJax, which was used to target government organizations in Central and Eastern Europe and is believed to have been developed by sophisticated Russian hackers. Kaspersky found that the group used MossaicRegressor from 2017 to 2019 to target dozens diplomatic entities and NGOs in Africa, Asia and Europe. The Kaspersky researchers also found that MosaicRegressor's infrastructure has similarities with malware associated with Chinese hackers.
Hardware and firmware providers still aren't spending enough resources to build defenses needed to effectively withstand attacks. Secure boot, because it only protects the boot process during run time, isn't the answer. Security companies are only now starting to design antivirus scanning for mainstream users. Password-protecting the UEFI bootup process is an effective measure to prevent firmware tampering. Using full-disk encryption can also be helpful because, should UEFI firmware be hacked, it won't be able to write to the disk.