Researchers from security firm Kaspersky are used to coming across advanced and devious malware, but rarely have they seen anything like MosaicRegressor. According to the company’s latest blog post, this is just the second known UEFI-based malware. Because it operates on the low-level boot manager that underlies most modern computers, it has extreme system access and staying power. The good news is you’re probably not going to have to worry about getting infected.
The Unified Extensible Firmware Interface (UEFI) is the software that lives on your computer’s motherboard. It’s the first thing to turn on when you boot up the system, and that allows it access to almost every part of the operating system. It will also persist after reboots, formats, and even system component replacement. Since the UEFI resides on a flash memory chip soldered to the board, it’s very hard to inspect for malware and even harder to purge.
So, if you want to own a system and reduce the likelihood of getting caught, UEFI malware is the way to go. The problem is that it’s very difficult to get malicious code into UEFI systems. Still, Kaspersky integrated a special firmware scanner into its antivirus products in 2019. Now, the firm says it has detected the second known instance of UEFI malware, which it calls MosaicRegressor.
The infection was discovered on just two computers, both belonging to diplomatic officials in Asia. The full exploit chain is long and varied, allowing the attackers to load multiple modules to control the target system and steal data. However, it all starts with the UEFI loader. On each boot, MosaicRegressor checks to see if its malicious “IntelUpdate.exe” file is in the Windows startup folder. If not, it adds the file. This is the gateway to all the other nasty things MosaicRegressor can do. We don’t even know the full extent of the operation’s capabilities, as Kaspersky was only able to capture a handful of the malware modules. The team has confirmed MosaicRegressor can exfiltrate documents from the infected systems, though.
Kaspersky researchers note that the attack appears to come from a Chinese-speaking individual or group — it may be a tool developed by the Chinese government for all we know. Kaspersky was unable to determine how the original UEFI code was altered, but the team made some educated guesses based on a piece of 2015 UEFI malware. That exploit required physical access to the machine, making it unlikely anyone other than the targets would get infected. That suggests a professional operation orchestrated by an intelligence agency, but we’re unlikely to ever get confirmation of that.