New Delhi: A rare spy malware has hit diplomats and members of NGOs from Asia, Africa and Europe in a series of targeted cyber attacks, including spear-phishing documents in Russian language while some were related to North Korea and used as a lure to download malware.
Based on the affiliation of the discovered victims, the researchers at cyber security firm Kaspersky were able to determine that the malware campaign known as “MosaicRegressor” was used in a series of targeted attacks.
The campaign has so far not been linked “to any known advanced persistent threat (APT) actors”.
The researchers uncovered the APT espionage campaign that uses a very rarely seen type of malware known as a firmware bootkit.
The UEFI bootkit used with the malware is a custom version of Hacking Team’s bootkit leaked in 2015.
“Although UEFI attacks present wide opportunities to the threat actors, MosaicRegressor is the first publicly known case where a threat actor used a custom made, malicious UEFI firmware in the wild,” said Mark Lechtik, senior security researcher at Global Research and Analysis Team (GReAT) at Kaspersky.
“This attack demonstrates that, albeit rarely, in exceptional cases actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine”.
UEFI firmware is an essential part of a computer, which starts running before the operating system and all the programs installed in it.
If UEFI firmware is somehow modified to contain malicious code, that code will be launched before the operating system, making its activity potentially invisible to security solutions.
Kaspersky researchers found a sample of such malware used in a campaign that deployed variants of a complex, multi-stage modular framework dubbed as MosaicRegressor.
“The framework was used for espionage and data gathering with UEFI malware being one of the persistence methods for this new, previously unknown malware,” the researchers explained.
The malware initially installed on the infected device is a Trojan-downloader, a programme capable of downloading additional payload and other malware.
“Depending on the payload downloaded, the malware could download or upload arbitrary files from/to arbitrary URLs and gather information from the targeted machine”, the findings showed.
“The use of leaked third-party source code and its customization into a new advanced malware once again raises yet another reminder of the importance of data security,” said Igor Kuznetsov, principal security researcher at Kaspersky’s GReAT.
“Once software — be it a bootkit, malware or something else — is leaked, threat actors gain a significant advantage,” he added.