The infection was discovered on just two computers, both belonging to diplomatic officials in Asia. The full exploit chain is long and varied, allowing the attackers to load multiple modules to control the target system and steal data. However, it all starts with the UEFI loader. On each boot, MosaicRegressor checks to see if its malicious “IntelUpdate.exe” file is in the Windows startup folder. If not, it adds the file. This is the gateway to all the other nasty things MosaicRegressor can do. We don’t even know the full extent of the operation’s capabilities, as Kaspersky was only able to capture a handful of the malware modules. The team has confirmed MosaicRegressor can exfiltrate documents from the infected systems, though.
Kaspersky discovers second UEFI malware strain
Posted on Tuesday, October 06 2020 @ 12:48 CEST by Thomas De Maesschalck
Researchers from Russian cybersecurity outfit Kaspersky discovered a new type of UEFI malware. Called MosaicRegressor, this is only the second known strain of UEFI malware. Infecting UEFI is really hard but it's an attractive target for hackers as it provides full system access and is very hard to detect as well as to remove. ExtremeTech offers some more details. MosaicRegressor seems to have been developed by a Chinese-speaking individual or group, or possibly a state entity.