A Chinese-speaking hacking group has been observed using a UEFI bootkit to download and install additional malware on targeted computers. UEFI firmware is a crucial component for every computer. This crucial firmware is inside a flash memory bolted to the motherboard and controls all the computer’s hardware components and helps boot the actual user-facing OS (such as Windows, Linux, macOS, etc.).
Named MosaicRegressor, the kit is a multi-stage and modular framework aimed at espionage and data gathering. It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines. In two known cases, the initial stage of the framework was installed in the victim’s UEFI firmware, achieving the above-OS level of persistence.
The program contains four blocks of data encrypted with a simple one-byte XOR algorithm. Three of those blocks contain URL strings and the fourth contains a unique string, “D22”. It builds an identification string following the format: %Computer name%-D22_32 or 64 The 32 or 64 suffix is chosen based on system identification. The system is supposed to be 64 if the program is able to locate the file or directory named %WINDIR%\SysWOW64 The program then follows into an infinite C&C communication loop. In case any of the C&C servers provided a valid response, the program sends another download request for: URL of the valid C&C server/identification string/BeFileA.z. There are several SFX droppers with decoy documents that were sent to victims by e-mail. Each contains a document and a variant of a Curl-based downloader or a Winhttp-based downloader.