MosaicRegressor
Cybercriminals try to exploit any piece of hardware that is possible to compromise. In the past, we have seen ransomware threats that go after the Master Boot Record (MBR) of hard-disks, therefore preventing the infected computer from starting Windows at all. However, some cybercriminals are keen on creating malware that is as threatening as ransomware, but not that noisy and flashy. The MosaicRegressor is a new type of rootkit that is nothing like traditional rootkits in terms of the way it works. Instead of going after system drivers and modules, it tries to plant its code inside the Unified Extensible Firmware Interface (UEFI) module of the motherboard. The UEFI module is stored on a tiny piece of flash storage that is soldered to motherboards – this means that even a full reinstall of the operating system would not be enough to remove an implant like MosaicRegressor.
Cybersecurity Experts Identified a Second UEFI Rootkit in the Wild
While many high-profile threat actors are likely to experiment with UEFI rootkits, so far, only one working sample was discovered in the wild – LoJax. However, MosaicRegressor is the second threat of this type that is being used by its creators actively. Experts suspect that the criminals behind the MosaicRegressor project may be of Chinese origin. So far, they have harvested MosaicRegressor's unique capabilities to execute data-theft and espionage operations.
The MosaicRegressor packs an impressive range of Trojan downloaders and loaders that allow the attacker to orchestrate the campaign with high precision. Traces of MosaicRegressor's operations were discovered and identified on systems and networks used by various non-governmental organizations (NGOs) and political entities across Europe, Asia and Africa.
The infection vector that MosaicRegressor's operators use is so far unknown. Still, it is possible that they may be relying on compromised BIOS firmware/updates or physical access to the targeted system. While attacks using UEFI rootkits are difficult to execute incredibly, they can be very profitable for the cybercriminals who manage to pull them off.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.