A firmware boot-kit has been seen in the wild, targeting diplomats & members of non-governmental organisations (NGOs) from Africa, Asia & Europe. It has turned out to be part of a newly uncovered framework called Mosaic Regressor.
The Mosaic Regressor espionage framework is recently found & seems to be the work of Chinese-speaking players.
Commented researchers from Kaspersky, code artifacts in some of the framework’s components & overlaps in command-&-control (C2) infrastructure suggest that a Chinese-speaking group with connections to the Winnti backdoor is behind the attacks.
Kaspersky observed several dozen victims who received components from the Mosaic Regressor framework between 2017 & 2019 – all of whom had ties to N. Korea.
Connection to the DPRK
“Based on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK, be it non-profit activity related to the country or actual presence within it,” Kaspersky explained.
This focus on N. Korea-related victims was reinforced by emails used to deliver the malware. These contained self-extracting (SFX) archives pretending to be documents discussing various N. Korea related subjects. Those were bundled with both an actual document & Mosaic Regressor variants, both of which execute when the archive is opened.
Modifying UEFI Malware
First, the researchers found rogue UEFI firmware images within Kaspersky’s telemetry, that were modified from their benign counterparts in order to incorporate a number of malicious modules.
“The modules were used to drop malware on the victim machines,” researchers explained, in a posting on Mon. “This malware was part of a wider malicious framework that we called Mosaic Regressor.”
UEFI is a specification that constitutes the structure & operation of low-level platform firmware, including the loading of the operating system itself. It can also be used when the OS is already up & running, for example, in order to update the firmware.
“UEFI firmware makes for a perfect mechanism of persistent malware storage,” Kaspersky researchers explained. “A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded.”
A subsequent inspection showed that the malicious firmware images contained 4 components: 2 driver execution environment DXE drivers & 2 UEFI applications. Looking even deeper, they found that the components were all based on a customised version of the leaked source code of Hacking Team’s Vector EDK boot-kit.
“The goal of these added modules is to invoke a chain of events that would result in writing a malicious executable named ‘IntelUpdate.exe’ to the victim’s Start-up folder,” says the research. “Thus, when Windows is started, the written malware would be invoked as well.”
The team was not able to find the exact infection vector that allowed the attackers to overwrite the original UEFI firmware. However, options include physical access to the victim’s machine, using a malicious USB key with a special update utility, or a remote infection, perhaps through a compromised update mechanism.
“Such a remote scenario would typically require exploiting vulnerabilities in the BIOS update authentication process,” researchers commented.
One of the 2 uncovered DXE drivers is named Ntfs. It is called this because it is used to detect & parse the NT File System (NTFS), in order to conduct file & directory operations on the disk.
SMM Reset meanwhile is a UEFI application intended to mark the firmware image as infected.
“This is done by setting the value of a variable named ‘fTA’ to a hard-coded globally unique identifier GUID,” researchers described. “The application is based on a component from the original Vector-EDK code base that is named ‘ReSetfTA.’”
Main Boot-Kit Component
The 2nd DXE driver is called SMM Interface Base & is based on Hacking Team’s “rkloader” component. It is used as a 1st-stage tool to deploy the main boot-kit component, SMM Access Sub, later on in the attack chain.
“This is done by registering a call-back that will be invoked upon an event of type EFI_EVENT_GROUP_READY_TO_BOOT. The event occurs at a point when control can be passed to the operating system’s bootloader, effectively allowing the call-back to take effect before it. The call-back will in turn load and invoke the ‘SMM Access Sub’ component,” according to the research.
SMM Access Sub serves as a persistent dropper for a user-mode malware & takes care of writing a binary embedded within it as a file named ‘IntelUpdate.exe’ to the start-up directory on disk. This allows the binary to execute whenever Windows is up & running.
“This is the only proprietary component amongst the ones we inspected, which was mostly written from scratch & makes only slight use of code from a Vector-EDK application named ‘fsbg,’” researchers wrote.
SMM Access Sub
SMM Access Sub runs through a series of actions that culminate in dropping the IntelUpdate.exe file to disk, Kaspersky explained.
1st, it bootstraps pointers for the System Table, Boot Services & Runtime Services global structures, and uncovers the currently loaded UEFI image. The module then tries to find the root drive in which Windows is installed, & makes sure that the \Windows\System32 directory is present.
“A global EFI_FILE_PROTOCOL object that corresponds to the drive will be created at this point and referenced to open any further directories or files in this drive,” researchers observed.
The module also looks for a marker file named ‘setupinf.log’ under the Windows directory & proceeds only if it does not exist. It then creates a file with the same name & goes on to check if the “Users” directory exists under the same drive.
If that directory exists, it writes the IntelUpdate.exe file (embedded in the UEFI application’s binary) under the Program Data\Microsoft\Windows\Start Menu\Programs\Startup directory in the root drive.
The Mosaic Regressor Framework
The Intel Update executable unpacks a new piece of malware, a downloader, which had not been seen in the wild before, Kaspersky observed. The analysts however were able to use code fingerprints to determine that the binary belongs to a wider, multi-stage & modular framework called ‘Mosaic Regressor’.
This is “a framework aimed at espionage & data-gathering,” explained the researchers. “It consists of downloaders, & occasionally multiple intermediate loaders, that are intended to fetch & execute payload on victim machines. We were able to obtain only a handful of payload components during our investigation.”
Most of the components are merely downloaders that fetch other payloads. E.g.,1 installs in the autorun registry values, & acts as another loader for components that themselves are also just intermediate loaders for the next stage DLLs.
Researchers commented that this modular nature of the framework allows the attackers to conceal the wider framework from analysis & deploy components to target machines only on demand.
Kaspersky did find 1 example of a late-stage component, an info-stealer called “load.rem.” It takes files from the “Recent Documents” directory & archives them with a password, “likely as a preliminary step before exfiltrating the result to the C2 by another component,” explained Kaspersky.
Kaspersky suspects the threat player to be Chinese speaking, based on some pieces of forensic evidence.
For instance, certain strings used in the system-information log contain a Unicode character that appears to be translated from either the Chinese or Korean code pages. Also, the researchers found a file resource in some of the samples that contained a language identifier set to 2052 (“zh-CN”). They also uncovered the use of an OLE2 object-builder commonly used by Chinese-speaking threat players.
Meanwhile, 1 of the C2 addresses used by 1 of Mosaic Regressor’s variants has been observed in the past being used by the Winnti umbrella & linked groups, which are APTs that have been linked to the Chinese govt.
“It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it…& the high stakes of burning sensitive toolset or assets when doing so. With this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors.”