MosaicRegressor: Lurking in the Shadows of UEFI
12:25 – 12:55(SGT) Thursday 3 December, 2020
UEFI (or Unified Extensible Firmware Interface) has become a prominent technology that is embedded within designated chips on modern day computer systems. Replacing the legacy BIOS, it is typically used to facilitate the machine’s boot sequence and load the operating system, while using a feature-rich environment to do so. At the same time, it has become the target of threat actors to carry out exceptionally persistent attacks.
Researchers have recently uncovered such an attack as part of a campaign targeting diplomats and members of an NGO affiliated to North Korea. During analysis we were able to excavate several images of rogue UEFI firmware, containing a formerly unreported implant. Such findings are quite rare nowadays, which is why we decided to deep dive into this activity.
Careful gathering and investigation of samples from our telemetry allowed us to find more backdoors similar to the one dropped from the UEFI and to piece the puzzle together. We realized that the different malicious elements we observed were derived from a wider framework, which we dubbed MosaicRegressor.
As the act of targeting UEFI firmware for infection is considered to be a state-of-the-art persistence method, we had the idea that we are looking at the work of an APT group, but which one? Insights on code similarity, fine-grained details of implementation and the targets of the malware helped us zero in on a few candidates for attribution.
In this talk we will lay out all of our revelations on this campaign. We will tackle the internals of the MosaicRegressor framework and its variants, the map of targeted victims, the trail of clues that we used to profile the actor and the technology we used to find this threat in the first place. To the best of our knowledge, this is the second publicly disclosed UEFI based malware after LoJax, showing that the firmware inside our machines remains a stealthy and often overlooked attack surface for high profile actors.
Mark Lechtik is a Senior Security Researcher at Kaspersky`s GReAT, based in Israel. He is mainly engaged with reverse engineering and threat intelligence, spending most of his time digging into campaigns and complex sets of malware in the domain of Advanced Persistent Threats. Formerly, Mark worked as a researcher and manager of the Malware Research team at Check Point and spoke in various conferences, including CCC, REcon, CARO Workshop and AVAR.
Igor joined Kaspersky in 2001 as a virus analyst. In 2009 he was appointed to the position of Infrastructure Group Manager, where he led the development of our infrastructure for processing and detection of spam messages in the Anti-Spam division. In 2011 Igor joined the Global Research & Analysis Team at Kaspersky as a malware expert. In 2013 he became the Principal Security Researcher in the team. Igor specializes in investigating malware campaigns and reverse engineering advanced malware.
Sponsors and Supporting Organizations
Networking Lounge Sponsor