Posted on Leave a comment

Malware Campaign Hijacking Windows UEFI Bootloader To Infect Victims.

Kaspersky researchers had come across a Finspy surveillance malware campaign hijacking UEFI bootloader of windows for infecting the victim machines. The malware which is also called as Finfisher seems to be not infecting UEFI directly, instead it replaces the Windows Boot Manager (bootmgfw.efi) with a malicious one for the infection.

we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager. It is stored inside the efi\microsoft\boot\en-us\ directory, with the name consisting of hexadecimal characters. This directory contains two more files: the Winlogon Injector and the Trojan Loader. Both of them are encrypted with RC4. The decryption key is the EFI system partition GUID, which differs from one machine to another.” Stated in the research paper.

One of the interesting feature about this malware is that its ability to revolve around the infection by targeting MBR(Master Boot Record) on the machine where UEFI is not supported.

Throughout our research, we identified numerous legitimate applications backdoored with FinSpy. Examples include software installers (e.g. TeamViewer, VLC Media Player, WinRAR) as well as portable applications.All observed backdoored application samples have their original digital signature. It is invalid, which indicates that the application has been patched. While the entry point function of the application looks clear, inspection of the executable’s PE file sections does reveal anomalies: the backdoored application has its last section (.rsrc on the screenshot below) expanded by 51 KB.” reads the advisory released by kaspersky.

Researchers also identified that this specific variant harvests detail like sensitive documents, record keystrokes, steal email messages from Thunderbird, Outlook, Apple Mail, and Icedove, along with additional activities like webcam recorder, skype stealer, screen recorder ,etc.

Indicators of Compromise:

File Hashes

5EDF9810355DE986EAD251B297856F38
31F1D208EE740E1FDF9667B2E525F3D7
4994952020DA28BB0AA023D236A6BF3B
262C9241B5F50293CB972C0E93D5D5FC
405BB24ADE435693B11AF1D81E2BB279
EF74C95B1DBDBF9BD231DA1EE99F0A7E
B8A15A0CE29692FBA36A87FCDED971DE

File Paths

\efi\microsoft\boot\en-us\%HEXNUMS% – on EFI disk partition
/Library/Frameworks/Storage.framework – for Mac OS version

Mutexes

SessionImmersiveMutex
WininetStartupMutex0

Events

0x0A7F1FFAB12BB2
WinlogonLogon
Debug.Trace.Event.f120.0.v1
TermSrvReadyEvent%HEXNUMS%
SessionImmersiveEvent

Filemappings

0x0A7F1FFAB12BB3
windows_shell_global

Mailslots

mailslot\x86_microsoft.windows.c-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9
mailslot\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c
mailslot\6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
mailslot\ConsoleEvent-0x00000DAC–16628266191048322066-650920812-1622683116-1844332734-1046489716-2050906124-443455187

Domains and IPs

45.86.136[.]138
79.143.87[.]216
185.25.51[.]104
109.235.67[.]175
213.252.247[.]105
108.61.190[.]183
185.141.24[.]204

Source: Kasperky

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply