Friday03 February 2023

The Hacking Team used UEFI Rootkits for Persistent Malware

Reading time is around minutes.

Last year during DEF CON 22 we saw a demonstration of a UEFI root kit that was extremely worrying. This root kit was installed using a multipart systems to infect the UEFI BIOS in such a way as to grant the same level of access to an attacker as the CPU has (Ring 0). It was an almost unprecedented style of attack. When we reported on this many seemed to feel that it was not an issue. Now researchers are finding evidence of this same type of attack in the data lifted from the Hacking Team.

According to TrendMicro they have found code that suggest that the use of this type of persistent BIOS based attack was being used. According to the data released from TrendMicro the Hacking Team uses a system very similar to what we saw at DEF CON in 2014.

“Three modules are first copied from an external source [..] to a file volume (FV) in the modified UEFI BIOS. Ntfs.mod allows UEFI BIOS to read/write NTFS file. Rkloader.mod then hooks the UEFI event and calls the dropper function when the system boots.
┬áThe filedropper.mod contains the actual agents, which have the file name scout.exe and soldier.exe. This means that when the BIOS rootkit is installed, the existence of the agents are checked each time the system is rebooted”

From the DEF CON 22 Talk:
“MITRE described two separate exploits that they developed for this new hole. One was called the Queen's Gamut and the other the King's. The Queen's Gamut was the more concerning of the two because it takes place before any locks are placed on the system giving write-what-where access to the system. With this level of access they were able to show off the installation of an agent into the UEFI BIOS that they called the watcher.

The agent runs on every boot and is OS agnostic. This means that even if you pave the system it is still running. The limits of what it can do do not really exist because it has the highest level of privilege you can get on a computer. Also the system does not have to actually download the malicious code to work. It only has to get into memory, so even if you block a bad script or your firewall restricts access to something the code is still in memory and will be seen and executed by the agent.”

It seems that this type of attack went from concept to real world exploit after all. This new information will also surely raise questions about the actual existence of the “flaws” that let this happen. During the DEF CON 22 talk we found out that some of the holes had what appeared to be developer’s notes explaining that work was needed to correct these. How could they still be in place after so many years?

Now this exploit has been leaked into the wild and you can be sure it is in the hands of more than one “bad guy”. The malware landscape has just changed and for the worse. It is possible that this type of exploit would have been developed eventually, but now there is one readymade out there saving lots of time, but providing a big payoff. We are hoping that there will be a ton of BIOS updates hitting the marker to fix these holes (finally) so that this type of persistent root kit becomes much harder to swing, but I am not going to hold my breath waiting. We can also expect more fun from the the Hacking Team,... they are the gift that keeps on giving.

Last modified on Thursday, 16 July 2015 06:44

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.