A China-Linked Group Repurposed Hacking Team’s Stealthy Spyware The tool attacks a device’s UEFI firmware—which makes it especially hard to detect and destroy. The experts were investigating several suspicious UEFI firmware images when discovered four components, some of which were borrowing the source code a Hacking Team spyware.
At Kaspersky’s Security Analyst Summit this week, researchers Mark Lechtik and Igor Kuznetsov revealed their findings about a dangerous malware sample, which was detected on the PCs of two of Kaspersky’s customers earlier this year. The malware is particularly rare—and dangerous—because it’s engineered to alter a target computer’s Unified Extensible Firmware Interface, the firmware that is used to load the computer’s operating system. Because the UEFI sits on a chip on the computer’s motherboard outside of its hard drive, infections can persist even if a computer’s entire hard drive is wiped or its operating system is reinstalled, making it far harder to detect or remove than normal malware.
The UEFI implant spotted was used to deploy a new piece of malware that experts classified as a variant derived from a wider framework that they tracked as MosaicRegressor. A more traditional piece of spyware on the computer’s hard drive. But even if that second-stage payload is discovered and wiped, the UEFI remains infected and can simply deploy it again.
The MosaicRegressor framework was developed for cyber espionage purposes, its modular architecture allows operators to perform multiple actions.
Kaspersky researchers revealed to have found MosaicRegressor components at several dozen entities between 2017 and 2019. The list of victims included NGOs and diplomatic entities in Asia, Africa and Europe.
Researchers speculate the threat actors behind these attacks are linked with the Winnti APT.