Custom-made UEFI bootkit found lurking in the wild

By | October 5, 2020
Custom-made UEFI bootkit found lurking in the wild
sasha85ru | Getty Imates

For only the second time in the annals of cybersecurity, researchers have found real-world malware lurking in the UEFI, the low-level and highly opaque firmware required to boot up nearly every modern computer.

As software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an operating system in its own right. It’s located in a SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. And it’s the first thing to be run when a computer is turned on, allowing it influence or even control the OS, security apps, and all other software that follows.

Those characteristics make the UEFI the perfect place to stash malware, and that’s just what an unknown attack group has done, according to new research presented on Monday by security firm Kaspersky Lab.

Last year, after the Moscow-based company integrated a new firmware scanner in its antivirus products, researchers recovered a suspicious UEFI image from one of its users. After further research, Kaspersky Lab discovered that a separate user had been infected by the same UEFI image in 2018. Both infected users were diplomatic figures located in Asia.

The highest level of persistence

Analysis eventually showed that each time the firmware ran, it checked to see if a file titled IntelUpdate.exe was inside the Windows startup folder. If it wasn’t, the UEFI image would put it there. IntelUpdate.exe, it turned out, was a small but important cog in a large and modular framework built for espionage and data gathering. IntelUpdate.exe acted as the first link in a long chain. It reported to an attacker-controlled server to download another link, which in turn, would download other links, all of which were customized to the profile of the person being infected.

The security company is presenting the findings at its Security Analyst Summit @Home conference. In a blog post accompanying the panel, authors Mark Lechtik and Igor Kuznetsov wrote:

The attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine. It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.

With this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors. The combination of our technology and understanding of the current and past campaigns leveraging infected firmware, helps us monitor and report on future attacks against such targets.