An older malware sample known as VectorEDK, which was publicly revealed five years ago as part of the Italian “Hacking Team” leaks, has been repurposed and is now being used by Advanced Persistent Threat (APT) actors targeting government employees in foreign diplomatic roles. In a story originally reported by Wired, Kaspersky has discovered a family of malware which uses the Unified Extensible Firmware Interface (UEFI) to install malware into the victim’s motherboard. Once persistence is achieved through the use of UEFI, a typical malware payload is loaded, nicknamed MosaicRegressor. With the UEFI persistence, even if the victim completely replaces the hard drive and reinstalls the operating system, the malware will redeploy MosaicRegressor malware onto the new disk.
While the initial stage is incredibly stealthy, this technique still depends on deploying a secondary payload to the system, which can be detected with Endpoint Detection and Response (EDR) software. However, EDR alerts are only useful when they are quickly handled by an experienced security analyst. Since attacks often take place outside of business hours, it is important to maintain 24/7 Security Operations Center (SOC) monitoring using an internal team or a managed security service such as Binary Defense’s Security Operations Task Force.