1. Home >
  2. Defense

Kaspersky Finds Sophisticated UEFI Malware in the Wild

Security researchers from Kaspersky Labs are used to coming across advanced and devious malware, but rarely have they seen anything like MosaicRegressor. According to the company's latest blog post, this is just the second known UEFI-based malware.
By Ryan Whitwam
Close-Up Of Telephone Booth
(Credit: Getty Images)
Researchers from security firm Kaspersky are used to coming across advanced and devious malware, but rarely have they seen anything like MosaicRegressor. According to the company's latest blog post, this is just the second known UEFI-based malware. Because it operates on the low-level boot manager(Opens in a new window) that underlies most modern computers, it has extreme system access and staying power. The good news is you're probably not going to have to worry about getting infected.  The Unified Extensible Firmware Interface (UEFI) is the software that lives on your computer's motherboard. It's the first thing to turn on when you boot up the system, and that allows it access to almost every part of the operating system. It will also persist after reboots, formats, and even system component replacement. Since the UEFI resides on a flash memory chip soldered to the board, it's very hard to inspect for malware and even harder to purge. So, if you want to own a system and reduce the likelihood of getting caught, UEFI malware is the way to go. The problem is that it's very difficult to get malicious code into UEFI systems. Still, Kaspersky integrated a special firmware scanner into its antivirus products in 2019. Now, the firm says it has detected the second known instance of UEFI malware, which it calls MosaicRegressor.  The infection was discovered on just two computers, both belonging to diplomatic officials in Asia. The full exploit chain is long and varied, allowing the attackers to load multiple modules to control the target system and steal data. However, it all starts with the UEFI loader. On each boot, MosaicRegressor checks to see if its malicious "IntelUpdate.exe" file is in the Windows startup folder. If not, it adds the file. This is the gateway to all the other nasty things MosaicRegressor can do. We don't even know the full extent of the operation's capabilities, as Kaspersky was only able to capture a handful of the malware modules. The team has confirmed MosaicRegressor can exfiltrate documents from the infected systems, though.  Several clues point to a Chinese threat actor. Kaspersky researchers note that the attack appears to come from a Chinese-speaking individual or group -- it may be a tool developed by the Chinese government for all we know. Kaspersky was unable to determine how the original UEFI code was altered, but the team made some educated guesses based on a piece of 2015 UEFI malware. That exploit required physical access to the machine, making it unlikely anyone other than the targets would get infected. That suggests a professional operation orchestrated by an intelligence agency, but we're unlikely to ever get confirmation of that. Now read:

Tagged In

Uefi Security Malware Kaspersky China

More from Defense

An overhead photo of the Pentagon
Google Will Give the Military AI Assistance When Disaster Strikes
By Josh Norem
The Lenovo Daystar Bot GS standing in an office.
Lenovo Develops 6-Legged Robot Covered in Cameras, Which Is Fine
By Adrianna Nine
A photo from an alleged UFO sighting in New Jersey, 1952.
New Pentagon Report Says It Has Found No Evidence of Alien Technology
By Josh Norem
Intel Rio Rancho
Intel to Receive $3.5 Billion to Make Chips for the Military
By Josh Norem
X37-B on ground
Amateur Satellite Tracker Spots US Military's Classified Space Plane
By Ryan Whitwam
Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use(Opens in a new window) and Privacy Policy. You may unsubscribe from the newsletter at any time.
Thanks for Signing Up