Cybercriminals try to exploit any piece of hardware that is possible to compromise. In the past, we have seen ransomware threats that go after the Master Boot Record (MBR) of hard-disks, therefore preventing the infected computer from starting Windows at all. However, some cybercriminals are keen on creating malware that is as threatening as ransomware, but not that noisy and flashy. The MosaicRegressor is a new type of rootkit that is nothing like traditional rootkits in terms of the way it works. Instead of going after system drivers and modules, it tries to plant its code inside the Unified Extensible Firmware Interface (UEFI) module of the motherboard. The UEFI module is stored on a tiny piece of flash storage that is soldered to motherboards – this means that even a full reinstall of the operating system would not be enough to remove an implant like MosaicRegressor.
Cybersecurity Experts Identified a Second UEFI Rootkit in the Wild
While many high-profile threat actors are likely to experiment with UEFI rootkits, so far, only one working sample was discovered in the wild – LoJax. However, MosaicRegressor is the second threat of this type that is being used by its creators actively. Experts suspect that the criminals behind the MosaicRegressor project may be of Chinese origin. So far, they have harvested MosaicRegressor's unique capabilities to execute data-theft and espionage operations.
The MosaicRegressor packs an impressive range of Trojan downloaders and loaders that allow the attacker to orchestrate the campaign with high precision. Traces of MosaicRegressor's operations were discovered and identified on systems and networks used by various non-governmental organizations (NGOs) and political entities across Europe, Asia and Africa.
The infection vector that MosaicRegressor's operators use is so far unknown. Still, it is possible that they may be relying on compromised BIOS firmware/updates or physical access to the targeted system. While attacks using UEFI rootkits are difficult to execute incredibly, they can be very profitable for the cybercriminals who manage to pull them off.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to MosaicRegressor may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.