Kaspersky Lab experts discovered a targeted cyber espionage campaign, where attackers infect computers with malware that collects all recent documents on the victim's device, archives them and passes them back to them.
The UEFI program is loaded before the operating system and controls all processes at an "early start". Using it, an attacker can gain full control over the computer: change the memory, disk contents, or force the operating system to run a malicious file. Neither replacing the hard drive nor reinstalling the OS will help get rid of it.
"This file is a bootloader, it communicates with the control server, collects all recent documents on the computer, archives them, and sends them back to the server. In fact, this is just espionage. Now there is information about two victims of the UEFI bootkit, as well as several victims of the campaign who encountered targeted phishing. All of them are diplomats or members of nonprofit organizations, and their activities are related to North Korea," commented Igor Kuznetsov, a leading anti-virus expert at Kaspersky Lab.
The experts also found out that the components of the UEFI bootkit are based on the Vector-EDK code - a special constructor that was created by the cyber group Hacking Team and contains instructions for creating a module for flashing UEFI. In 2015, as a result of a leak, these and other sources of the Hacking Team were freely available, which allowed attackers to create their own software.
"Be that as it may, we are dealing with a powerful, advanced tool for cyber attacks, far from every attacker can do this. However, with the appearance of ready-made working examples, there is a danger of reusing the technology, especially since the instructions for it can still be downloaded by anyone,” added Kuznetsov.
Interestingly, five years ago, Kaspersky Lab already found undetectable viruses. Then the control servers and traces of attacks of the Equation hacker group were discovered, it was associated with the American special services.
 
 
 
 
 
 
 
 

