Security researchers have found a new UEFI attack. Part of a hacker framework called MosaicRegressor, the cyber attack targeted victims with ties to North Korea in the last 3 years. The Unified Extensible Firmware Interface is a malware with its own cyber system.
The firmware was used in attacks recently. This is the second second case of an exploited UEFI malware. Components from the framework have been discovered in a series of targeted attacks against authorities. Their activities showed links with North Korea. Code hacking in some components of the framework and overlap in infrastructure was used during the activities. Security researchers believe Winnti belongs to a group, which means several smaller criminal factions are using it to identify with it. Last year, the backdoor used the Skip malware to hack Microsoft servers. The campaign relied on a malware on the servers that could allow the stored information to be accessed using a password string.
The malware is not embedded in the operating system, but on the mainboard in the module. It doesn’t matter what kind of cyber activities are planned. There is also no point in exchanging them or setting up the system again. The malware can collect data information from the operating systems with a manipulated boot kit. Once inside the mainboard, the malware can always install the required components.
As for the new UEFI malware, it appears to be a version of a boot kit. The kit code was leaked a few years ago and has been available online ever since. The malware is used to install the MosaicRegressor, which is the second payload. MosaicRegressor is capable of cyber and data activities, and it includes additional downloaders that other secondary components can run.
With regards to the identity of the threat actor behind MosaicRegressor, Kaspersky said it found multiple code-level hints that indicate they were written in Chinese or Korean and noted the use of Royal Road (8.t) RTF weaponizer, which has been tied to multiple Chinese threat groups in the past.