China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks

A threat actor linked to China has used UEFI malware based on code from Hacking Team in attacks aimed at organizations with an interest in North Korea, Kaspersky reported on Monday.

Kaspersky researchers analyzed the malware and the malicious activity after stumbling upon several suspicious UEFI firmware images. A deeper investigation revealed the existence of four components, many of which were based on source code leaked in 2015 by a hacker who had breached the systems of the now-defunct Italian surveillance solutions provider Hacking Team. The firmware implant appeared to be based on code associated with the Vector-EDK bootkit, with only some minor modifications.

Kaspersky has not been able to determine how the attackers managed to rewrite the firmware on targeted machines. However, considering that the firmware implant is based on Hacking Team code, it’s possible that deployment involved physical access to the targeted device and attaching a USB key — Hacking Team’s Vector-EDK bootkit was designed to be deployed via a USB key.

“Of course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don’t have any evidence to support it,” Kaspersky researchers said.

The implant’s main bootkit component is designed to act as a persistent dropper for a piece of Windows malware. This allows the attackers to ensure that the Windows malware cannot be removed from the compromised system — the malware is rewritten to disk if removed, unless the malicious firmware is also removed.

The malware delivered by the bootkit was determined to be a variant from a framework that Kaspersky has dubbed MosaicRegressor, which is designed for espionage. The framework is modular, enabling the attackers to carry out various tasks, such as stealing documents from the compromised computer.

Kaspersky detected MosaicRegressor components at “several dozen” entities between 2017 and 2019. Victims included NGOs and diplomatic entities in Asia, Africa and Europe, and one thing they had in common was a connection to North Korea — in some cases they had a presence in the country, while others were involved in non-profit activity related to North Korea. However, only two of these victims were targeted with the UEFI implant.

Evidence uncovered by Kaspersky suggests that the hackers behind these attacks are Chinese speakers, and a connection has been found to Winnti, but no definitive links have been found to a known threat actor.

There aren’t too many known attacks involving UEFI malware. ESET reported in 2018 that the Russia-linked threat group Fancy Bear had been using a UEFI rootkit in its attacks.

Related: Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper

Related: Russian Hackers Using Bootkit to Steal Payment Data