Second ever UEFI Rootkit discovered - MosaicRegressor

Investigations around the attacks on non-governmental organizations (NGOs) led to the UEFI rootkit named MosaicRegressor. UEFI (Unified Extensible Firmware Interface) firmware enables "sticky" malware, that is installed within SPI flash storage soldered to the motherboard, thus making it impossible to get rid of by OS reinstallation or hard drive replacement. Previously only one other UEFI instance was known - LoJax, discovered back in 2018. MosaicRegressor has been improved to feature several downloaders and multiple intermediary loaders which purpose is to download and execute malicious payloads on victims' devices. The investigators were able to obtain only a limited amount of the malware framework's components, but at least one of them used by the BitsRegEx bootkit variant was previously used for stealing contents of the Recent Documents folder. The vector of infection hasn't been clearly discovered yet, but based on the affiliation of the discovered victims the connections to the DPRK has been found. Read more...