Kaspersky researchers had come across a Finspy surveillance malware campaign hijacking UEFI bootloader of windows for infecting the victim machines. The malware which is also called as Finfisher seems to be not infecting UEFI directly, instead it replaces the Windows Boot Manager (bootmgfw.efi) with a malicious one for the infection.
“we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager. It is stored inside the efi\microsoft\boot\en-us\ directory, with the name consisting of hexadecimal characters. This directory contains two more files: the Winlogon Injector and the Trojan Loader. Both of them are encrypted with RC4. The decryption key is the EFI system partition GUID, which differs from one machine to another.” Stated in the research paper.
One of the interesting feature about this malware is that its ability to revolve around the infection by targeting MBR(Master Boot Record) on the machine where UEFI is not supported.
“Throughout our research, we identified numerous legitimate applications backdoored with FinSpy. Examples include software installers (e.g. TeamViewer, VLC Media Player, WinRAR) as well as portable applications.All observed backdoored application samples have their original digital signature. It is invalid, which indicates that the application has been patched. While the entry point function of the application looks clear, inspection of the executable’s PE file sections does reveal anomalies: the backdoored application has its last section (.rsrc on the screenshot below) expanded by 51 KB.” reads the advisory released by kaspersky.
Researchers also identified that this specific variant harvests detail like sensitive documents, record keystrokes, steal email messages from Thunderbird, Outlook, Apple Mail, and Icedove, along with additional activities like webcam recorder, skype stealer, screen recorder ,etc.
Indicators of Compromise:
\efi\microsoft\boot\en-us\%HEXNUMS% – on EFI disk partition
/Library/Frameworks/Storage.framework – for Mac OS version
Domains and IPs