Cybersecurity firm Kaspersky Lab claimed that Chinese hackers might be using malware that can survive Windows OS reinstalls to spy and exploit a computer’s UEFI (Unified Extensible Firmware Interface).
“This attack demonstrates that, albeit rarely, in exceptional cases, actors are willing to go to great lengths in order to gain the highest level of persistence on a victim’s machine,” said Kaspersky Lab researcher Mark Lechtik in a statement.
Kaspersky Lab bared that it discovered the UEFI-based malware on machines belonging to two victims. The malware works to create a Trojan file called “IntelUpdate.exe” in the Startup Folder, which will reinstall itself even if the user finds it and deletes it.
The malware’s goal is to deliver other hacking tools on the victim’s computer, including a document stealer that will fetch files from the “Recent Documents” directory before uploading them to the hacker’s command and control server.
“Since this logic is executed from the SPI flash, there is no way to avoid this process other than eliminating the malicious firmware,” Kaspersky Lab stressed, adding that in order to remove the malware, a victim would need to update the motherboard’s firmware.
The software security company refrained from naming the victims, but said the culprits have been going after computers belonging to “diplomatic entities and NGOs in Africa, Asia, and Europe.”
While looking over the malware’s computer code, Kaspersky Lab also noticed the processes can reach out to a command and control server previously tied to a suspected Chinese state-sponsored hacking group known as Winnti. The firm found evidence that the creators behind the malware used the Chinese language while programming the code.
This is the second time security researchers have uncovered malware designed to exploit the UEFI. In 2018, antivirus vendor ESET reported a separate instance of UEFI-based malware, dubbed Lojax, which may have come from Russian state-sponsored hackers.