Rewterz Threat Alert – Chinese Hacker Group Spotted Using a UEFI Bootkit in the Wild

Severity

High

Analysis Summary

A Chinese-speaking hacking group has been observed using a UEFI bootkit to download and install additional malware on targeted computers. UEFI firmware is a crucial component for every computer. This crucial firmware is inside a flash memory bolted to the motherboard and controls all the computer’s hardware components and helps boot the actual user-facing OS (such as Windows, Linux, macOS, etc.). 

Named MosaicRegressor, the kit is a multi-stage and modular framework aimed at espionage and data gathering. It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines. In two known cases, the initial stage of the framework was installed in the victim’s UEFI firmware, achieving the above-OS level of persistence.

The program contains four blocks of data encrypted with a simple one-byte XOR algorithm. Three of those blocks contain URL strings and the fourth contains a unique string, “D22”. It builds an identification string following the format: %Computer name%-D22_32 or 64 The 32 or 64 suffix is chosen based on system identification. The system is supposed to be 64 if the program is able to locate the file or directory named %WINDIR%\SysWOW64 The program then follows into an infinite C&C communication loop. In case any of the C&C servers provided a valid response, the program sends another download request for: URL of the valid C&C server/identification string/BeFileA.z. There are several SFX droppers with decoy documents that were sent to victims by e-mail. Each contains a document and a variant of a Curl-based downloader or a Winhttp-based downloader.

Impact

• Information Theft
• Data Exfiltration
• Code Execution

Indicators of Compromise

Domain Name

• exitui[.]rs

Hostname

• menjitghyukl[.]myfirewall[.]org

MD5

• 0EFB785C75C3030C438698C77F6E960E
• 12B5FED367DB92475B071B6D622E44CD
• 7C3C4C4E7273C10DBBAB628F6B2336D8
• 3B3BC0A2772641D2FC2E7CBC6DDA33EC
• 233B300A58D5236C355AFD373DABC48B
• 74DB88B890054259D2F16FF22C79144D
• AFC09DEB7B205EADAE4268F954444984
• D273CD2B96E78DEF437D9C1E37155E00
• 33F21AC73AFF4DFF71316795282A3D06
• 92F6C00DA977110200B5A3359F5E1462
• 7908B9935479081A6E0F681CCEF2FDD9
• DC14EE862DDA3BCC0D2445FDCB3EE5AE
• D197648A3FB0D8FF6318DB922552E49E
• F5B320F7E87CC6F9D02E28350BB87DE6
• 0D386EBBA1CCF1758A19FB0B25451AFE
• C63D3C25ABD49EE131004E6401AF856C
• 89527F932188BD73572E2974F4344D46
• 72C514C0B96E3A31F6F1A85D8F28403C
• d848d4ec24e678727b63251e54a0a5de
• b53880397d331c6fe3493a9ef81cd76e
• 0d3da5adb9bb63c7fcb0185756601749
• 88750b4a3c5e80fd82cf0dd534903fc0
• e2f4914e38bb632e975cff14c39d8dcd
• 1732357d3a0081a87d56ee1ae8b4d205
• 4769891fccc26c1583e0f21b1a18d2ba
• 328ad6468f6edb80b3abf97ac39a0721
• 08ecd8068617c86d7e3a3e810b106dce
• 9e182d30b070bb14a8922cff4837b94d
• 7ac0189801242d5261ab5c0c43c7f8d3
• 13773bc34a47124743c9836c6ff80695
• a8516452fe7d4d5d2fd0685ccf8a64b2
• 7b213a6ce7ab30a62e84d81d455b4dea
• 6e949601ebdd5d50707c0af7d3f3c7a5
• 3d2835c35ba789bd86620f98cbfbf08b
• 36b51d2c0d8f48a7dc834f4b9e477238
• 6dbb092e081c3e23d555c2a460b96187
• 67cf741e627986e97293a8f38de492a7
• 9aa47dceccb306a80101f47ab148578d
• 91a473d3711c28c3c563284dfafe926b
• b23e1fe87ae049f46180091d643c0201
• a69205984849744c39cfb421d8e97b1f
• 9f13636d5861066835ed5a79819aac28
• cfb072d1b50425ff162f02846ed263f9
• 449be89f939f5f909734c0e74a0b9751
• 61b4e0b1f14d93d7b176981964388291
• 17a11d22e491acb8c84f8636c3a41637
• dd8d3718197a10097cd72a94ed223238
• 70def87d180616406e010051ed773749
• 1c5377a54cbaa1b86279f63ee226b1df
• ae66ed2276336668e793b167b6950040
• df1b910626a380bffa22a757f419135c
• bd393a70e44fdf175c5b428286bb890f

SHA-256

• 64eabfc0612ac82eb80b8e955549b6a01899b712a99243d116e087828ca9e070
• ab021048f3d2c61cfbef9d4fb54148e81b2f2c887589e3e6813eb8c1dba36468
• 2e85ca515acbfd4b03f93218764e3166af04eb6f75de14ce4dfd97d6ef259579
• 25da7cc807578394716925afd30a9cc9d543e2fa2a2b25ce8f52160b3b4bc073
• fc189b913bfd5995a7ed5c4e8a811ad237f7b973e120a25baccffbf4ea1d3838
• eaa31ce8f9ec828e040801df9faa911e7b70f29f23a70f24504f6ec02f3504ff
• 35a476a77218128bd797c04b27f53049998c0951833e47b32455091d83ff4f02
• f63ccdabade319cc73a3c5eb41a2877bdb70f4db8bf8414d49fd2f402845f27c
• 2826815873d90ad38c5aeeed57c09385d6ad9a3cebaa18757f557a698e9f92b6
• e3d63dc50b6a477e0361e71f80e133337bab1d11e809387e8e3a058614780b21
• 7eba9f6f9774c87fafc4aba403821fae73a50d387624d039d1b296cf0befca73
• bffe333c3470e6012924409b6aa48b20e9d12f181c0f6b03f50db64ddf7596a7
• b47f8eda04def2df3d2c58199af5fdded338d08bee8fb3636f441a46bb3ff119
• cdd2cb01c8afda2b2ce77cfa257dd6e0bdd4aecc9e7be5f4c55c34d424376ed9
• aa9627a62eb193cc40f2a5ffd259035a43540b2abd634c80f0d988f7588fa23d
• 0cfe9d9131d8c5ac7d39bce9700d92b7de6a3e7bb0b7d72b17fd29f7eb86d93f
• 0fdcea00a78e0263caa45205d09b107bd50a9696f59a66951e8b9afc42d54e02
• 8f939e65e9ffedd16ae86687e154adbe607d56950d082778300039283f2f8330
• 230de38fc10b7c07af5aceb6ebbafa80c45c2b9123a7a167f85e8a05b5cf0db7
• 14e48d3aa7b9058c56882eb61fa40cf1f52614fe8feb8a43658ad02a570147e0
• c2695ef5f3a400219caa2347f5b914c15d74a133efa24d96d121acfa7f95a67e
• a651af2ce8338d979e6c9d7eed4b3f5c4500602565d36025b3079f9f05afcb33
• 2c0df314dcdc9fa161f5f31369037f747a794e26cee6f8835cc37eef3077f782
• 980d2f2d658324bb85ae044de91feb23a276e4ad04850588531e2f916a1696a2
• a37ed89053e6a686ea227c25db5b472654e49def03b1eb69b613e5b831822996
• 4d7f654cf507af2cc4ecfa6e49ea61d3e8b474a2c454ac0cfc06c124ccd90be2
• b2982325d3231ba5959484b01f5b6492babd37f10a8736e6bf81b47253bc99eb
• e1d1d5e1c91d0f4142247b45fb18c0c7dcc94719f4340cf6443100364802aeae
• c093c3e366ef0d4bd759a467842868cb1dd974c17e5230499707ec5bee5af304
• 5c7a75d30713bb6873529efebd8bf0a28f8c3720ef4300804703dd33e2086fd0
• 33b480094df24e4c991ba9db84160ec84de2a2b597ae691bc95f74ba36b3e63f
• fa116cf9410f1613003ca423ad6ca92657a61b8e9eda1b05caf4f30ca650aee5
• 19300fd4cf9dfa28d8d3331e9d48739c38d7151f330463ffe13d6809d5705f1a
• 4b03409184b3206f7e3a43ff9f7713722c9acd871dd961d918f66e65d92f43f9
• f31034fffec424d6e4505318400ecc3b00f8c2107c1823510a037b11a49f0741
• 2e7808e3cfebad45815b3de7b91ea39970e8d99c607c71cb70052cee0e140db4
• 7e2b1bbffa7f05e7bf57ee60d162ef1e6f83b2e3fb5aa0da985add67af517901
• adb8bfa6e227847c2ffa6e1c97d08280081426480ed9b2ce6af26a23fbd1334c
• b8425a5c05c01c1294ce75719049e1b4eab32c34cabe456c281f110976cf2ade

SHA1

• 2b3bfe0a014b6ef22ac3eb9133e070445cef75bc
• 50fb92c30346be3bbd7ab6bc0cdb260baaa0f91d
• ed1a2dc37066dc83947be46b67a4f693b9d18f3e
• 6896f9b29570a5ddf4dba2831ecfd39476ee075a
• 30d9c598136999238f155b592c90dc70416f72d6
• 9f17b875e06d0dca92807bdb7eab2cc9437ee735
• 3d9e14d4535fa26b899afc135ecb9e769d1d9597
• 816b6cd1a108cd229e2390e1928a967230553627
• 6ad1767919b228a5550f47c0683fad7ea3ca0075
• 04A5D783100C634CF01B862A839E2C7FB6797CA0
• 6EE3606B8617053754A01C1CBE6A1BCB03C5406A
• FDCD48CD0E094C5AE50665D506707D0658CE97BE
• BD7B5C56F58DB4A94C3097E8D7F78EAF51DBF335
• A3646FD4517ED6C42E7F05E76267445BDC1FF9A0
• FF52A54976BD89D31E246C23A267B8835CDE9383
• 96A36C681A38CFBA295D4C81B06EF3381456B868
• 1648AE7C4BA4E87D9B6F02D6C99675C394F44A26
• AAB1A8E78ED4E9B79EDB5CFF6B6DF6DD6B24FE65
• 72DBD9BC44173033B504DDDC655B2082E99CF2B9

Source IP

• 103[.]39[.]109[.]252
• 103[.]82[.]52[.]18
• 103[.]243[.]26[.]211
• 103[.]243[.]24[.]171
• 103[.]56[.]115[.]69
• 103[.]229[.]1[.]26
• 144[.]48[.]241[.]32
• 144[.]48[.]241[.]167
• 43[.]252[.]230[.]180
• 43[.]252[.]228[.]75
• 103[.]39[.]109[.]239
• 103[.]30[.]40[.]39
• 43[.]252[.]228[.]84
• 150[.]129[.]81[.]21
• 43[.]252[.]228[.]179
• 103[.]195[.]150[.]106
• 117[.]18[.]4[.]6
• 43[.]252[.]228[.]252
• 103[.]39[.]110[.]193
• 103[.]30[.]40[.]116

URL

• https[:]//43[.]252[.]230[.]180
• https[:]//103[.]39[.]109[.]239/requry
• https[:]//103[.]39[.]110[.]193
• https[:]//43[.]252[.]228[.]84/bits
• https[:]//103[.]39[.]109[.]252/insult
• https[:]//103[.]243[.]26[.]211/bits
• https[:]//103[.]30[.]40[.]116
• https[:]//43[.]252[.]228[.]84/quest
• https[:]//103[.]56[.]115[.]69/bisen
• https[:]//43[.]252[.]228[.]252/help
• https[:]//103[.]229[.]1[.]26
• http[:]//43[.]252[.]228[.]179/ambeg[.]png
• https[:]//117[.]18[.]4[.]6
• https[:]//43[.]252[.]228[.]179
• https[:]//103[.]243[.]24[.]171/bits
• http[:]//103[.]195[.]150[.]106/%Computername%/winword[.]exe
• https[:]//144[.]48[.]241[.]32/bits
• https[:]//menjitghyukl[.]myfirewall[.]org/thren
• https[:]//103[.]30[.]40[.]39/bits

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.
• Avoid clicking on URLs given in emails coming from unknown senders.