Connect with us

Hi, what are you looking for?



China-Linked Hackers Used UEFI Malware in North Korea-Themed Attacks

A threat actor linked to China has used UEFI malware based on code from Hacking Team in attacks aimed at organizations with an interest in North Korea, Kaspersky reported on Monday.

A threat actor linked to China has used UEFI malware based on code from Hacking Team in attacks aimed at organizations with an interest in North Korea, Kaspersky reported on Monday.

Kaspersky researchers analyzed the malware and the malicious activity after stumbling upon several suspicious UEFI firmware images. A deeper investigation revealed the existence of four components, many of which were based on source code leaked in 2015 by a hacker who had breached the systems of the now-defunct Italian surveillance solutions provider Hacking Team. The firmware implant appeared to be based on code associated with the Vector-EDK bootkit, with only some minor modifications.

Kaspersky has not been able to determine how the attackers managed to rewrite the firmware on targeted machines. However, considering that the firmware implant is based on Hacking Team code, it’s possible that deployment involved physical access to the targeted device and attaching a USB key — Hacking Team’s Vector-EDK bootkit was designed to be deployed via a USB key.

“Of course, we cannot exclude other possibilities whereby rogue firmware was pushed remotely, perhaps through a compromised update mechanism. Such a scenario would typically require exploiting vulnerabilities in the BIOS update authentication process. While this could be the case, we don’t have any evidence to support it,” Kaspersky researchers said.

The implant’s main bootkit component is designed to act as a persistent dropper for a piece of Windows malware. This allows the attackers to ensure that the Windows malware cannot be removed from the compromised system — the malware is rewritten to disk if removed, unless the malicious firmware is also removed.

The malware delivered by the bootkit was determined to be a variant from a framework that Kaspersky has dubbed MosaicRegressor, which is designed for espionage. The framework is modular, enabling the attackers to carry out various tasks, such as stealing documents from the compromised computer.

Kaspersky detected MosaicRegressor components at “several dozen” entities between 2017 and 2019. Victims included NGOs and diplomatic entities in Asia, Africa and Europe, and one thing they had in common was a connection to North Korea — in some cases they had a presence in the country, while others were involved in non-profit activity related to North Korea. However, only two of these victims were targeted with the UEFI implant.

Evidence uncovered by Kaspersky suggests that the hackers behind these attacks are Chinese speakers, and a connection has been found to Winnti, but no definitive links have been found to a known threat actor.

Advertisement. Scroll to continue reading.

There aren’t too many known attacks involving UEFI malware. ESET reported in 2018 that the Russia-linked threat group Fancy Bear had been using a UEFI rootkit in its attacks.

Related: Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper

Related: Russian Hackers Using Bootkit to Steal Payment Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.