Cybersecurity researchers have spotted a rare kind of potentially dangerous malware that targets a machine’s booting process to drop persistent malware.
The campaign involved the use of a compromised UEFI (or Unified Extensible Firmware Interface) containing a malicious implant, making it the second known public case where a UEFI rootkit has been used in the wild.
According to Kaspersky, the rogue UEFI firmware images were modified to incorporate several malicious modules, which were then used to drop malware on victim machines in a series of targeted cyberattacks directed against diplomats and members of an NGO from Africa, Asia, and Europe.
Calling the malware framework “MosaicRegressor,” Kaspersky researchers Mark Lechtik, Igor Kuznetsov, and Yury Parshin said a telemetry analysis revealed several dozen victims between 2017 and 2019, all of whom had some ties to North Korea.
UEFI is a firmware interface and a replacement for BIOS that improves security, ensuring that no malware has tampered with the boot process. Because UEFI facilitates the loading of the operating system itself, such infections are resistant to OS reinstallation or replacement of the hard drive.