MosaicRegressor: An UEFI malware

[German]Security researchers from Kaspersky have discovered malicious code in the UEFI installed on the motherboard of devices at customer sites. The malicious code was part of a larger malware framework called Kaspersky MosaicRegressor


Short info UEFI/BIOS

UEFI (Unified Extensible Firmware Interface)replaces the outdated BIOS (Basic Input Output System) on modern motherboards. The UEFI is ultimately a specification that defines the structure and operation of low-level platform firmware and provides functions so that the operating system can interact with the hardware at various stages of its activity. UEFI functions are used to execute the system boot sequence and load the operating system. This central function has made the UEFI a target for cyber criminals. This is because an infection of the UEFI also survives the reinstallation of the operating system and is not found by the usual security tools.

A leak 5 years ago

In 2015 there was a leak by the hacking team where the source code of a UEFI bootkit called VectorEDK was found in the leaked files. This code consisted of a set of UEFI modules that could be integrated into the platform firmware. The goal was to create a back door to the system that would be opened when the operating system was loaded, thus allowing access to the actors. Despite the fact that the code was published by VectorEDK and can be found on Github, Kaspersky had no concrete evidence until the current discovery that such a malware would appear in the wild.

However, there have been several attacks on the UEFI in recent years.  ESET discovered the LowJax rootkit in 2018. There, patched UEFI modules of the anti-theft software LoJack (also known as Computrace) were used to smuggle a malicious user-mode agent into a number of machines of various Sofacy \ Fancy Bear victims The dangers of Computrace were described by security specialists from the Global Research and Analysis Team (GReAT) as early as 2014.

Discovery of MosaicRegressor

During an investigation of various machines, the security researchers came across several suspicious UEFI firmware images, which they then examined more closely. The analysis revealed that the modified UEFI firmware images contained four components with similarities in their assigned GUID values. These were two DXE drivers and two UEFI applications. After further analysis, Kaspersky security researchers discovered that these were slightly modified variants of the respective elements based on the source code of HackingTeam's VectorEDK bootkit.

The goal of these added UEFI modules is to execute an infection chain at machine boot time, which saves a malicious executable file named IntelUpdate.exe to the victim's Windows startup folder. When Windows is then started by the victim, it automatically executes the malware. This approach allows the malware infection to survive any attempt to remove the malware components injected into Windows from the hard drive. This is because the UEFI infection ensures that the malware is reinjected into Windows at the next boot. Some solution is to remove the infected UEFI firmware.


MosaicRegressor is a multi-level and modular framework of malware that targets espionage and data collection. It consists of downloaders and several intermediate loaders that are designed to retrieve and execute payloads on the victims' computers. Since the framework consists of several modules, this helps attackers to hide the entire framework from analysis and to deploy components on the target machines only when needed. During the investigation, security researchers were only able to identify a handful of payload components that were loaded onto the victim machines. In the malware, mail addresses of a Russian domain were hard-coded.

Who are the victims

Kaspersky telemetry (which probably used Kaspersky security software to detect and report parts of the chain of infection) suggests that there were several dozen victims. These were injected with components from the MosaicRegressor framework between 2017 and 2019. Kaspersky generally names diplomatic institutions and NGOs in Africa, Asia and Europe as victims. Only two of them were also infected with the UEFI bootkit in 2019.

Based on the commonalities of the victims discovered, security analysts were able to conclude that they all had some connection to the DPRK (North Korea), either through charitable activities related to the country or through their actual presence in the country. This suspicion is reinforced by one of the infection vectors used to spread the malware to some of the victims. In fact, SFX archives were sent out claiming to contain documents that dealt with various issues related to North Korea. These were bundled with both an actual document and MosaicRegressor variants, both of which were executed when the archive was opened.

A further analysis suggests that the originators of the MosaicRegressor framework may be found in China or in Korea (certain strings refer to the character sets used in these countries for their languages). A more detailed analysis of the modules can be found in this blog post by Kaspersky. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *