Hacking Team's Malware Uses a UEFI Rootkit

Uploaded on 2015-07-24 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

htbios1.png

Technical support provided by Hacking Team

Surveillance software maker Hacking Team has provided its government customers with the ability to infect the low-level firmware found in laptops and other computers that they wanted to spy on.

The company developed a tool that can be used to modify a computer’s UEFI (Unified Extensible Firmware Interface) so that it silently reinstalls its surveillance tool even if the hard drive is wiped clean or replaced.

UEFI is a replacement for the traditional BIOS (Basic Input/output System) and is meant to standardize modern computer firmware through a reference specification. But there are multiple companies that develop UEFI firmware, and there can be significant differences between the implementations used by PC manufactures.

Hacking Team developed a method for infecting the UEFI firmware developed by Insyde Software, a Taiwanese company that counts Hewlett-Packard, Dell, Lenovo, Acer and Toshiba among its customers, according to security researchers from antivirus vendor Trend Micro.
“However, the code can very likely work on AMI BIOS as well,” the Trend Micro researchers said in a blog post. AMI BIOS refers to firmware developed by American Megatrends, a long-time BIOS market leader.

Trend Micro found details about the UEFI rootkit in the more than 400GB worth of files and emails that were leaked recently from Milan-based Hacking Team by a hacker. For the past week, security researchers and journalists have been sifting through the data uncovering malware source code, client lists, exploits for unpatched vulnerabilities and more information.
A Hacking Team slideshow presentation suggests that installing the UEFI rootkit requires physical access to the target computer, but remote installation can’t be ruled out, the Trend Micro researchers said.
Gaining temporary physical access to some computers wouldn’t be a big problem for government agencies, because many countries have laws that allow the inspection of laptops and other devices at their borders.

Hacking Team refers to its surveillance software as “the hacking suite for governmental interception” and claims to sell it only to government agencies. Even so, most antivirus vendors detect the highly intrusive software, which is known as Remote Control System (RCS) or Galileo, as malware.

To install the RCS UEFI rootkit, an attacker must reboot the system into the UEFI shell, extract the firmware, write the rootkit to the dumped image and then flash it back to the system, the Trend Micro researchers said. The rootkit itself has three modules: one for reading and writing to NTFS file systems; one for hooking the OS boot process; and one that checks if RCS is present on the system.

The rootkit checks for the existence of two software agents called scout.exe and soldier.exe every time the system is rebooted. If they don’t exist, it installs scout.exe at a predefined location inside the OS, the Trend Micro researchers said.
The possibility of installing rootkits into a computer’s BIOS, or UEFI, firmware has been demonstrated by multiple researchers at security conferences over the past several years. However, known cases of such rootkits being used in the wild are extremely rare.

A search through the email communications leaked from Hacking Team reveals that the company’s engineers have kept an eye out for every article and research paper on BIOS and UEFI hacking written since 2009. This includes blog posts on cracking BIOS passwords, papers on defeating signed BIOS enforcement and leaked documents about the US National Security Agency’s BIOS infecting capabilities.
The emails also show that the company’s research and development team was working on the “persistent UEFI infection” feature since at least mid-2014. 

In December, Hacking Team’s operations manager Daniele Milan asked a senior security engineer for clarifications on the feature in order to answer potential customer inquiries. The engineer responded that the feature was tested successfully on Dell Latitude 6320, Dell Precision T1600, Asus X550C and Asus F550C. It also worked on Toshiba Satellite C50 and the Acer Aspire E1-570, but with a higher risk of failure. In principle, the software works on all laptops, workstations and servers with 64-bit CPU architectures that support Windows 7 and Windows 8 Pro, the engineer said.

In a later email, he mentioned that the “chiavetta” also works on Dell servers. Chiavetta means key in Italian, but it’s also widely used to refer to USB thumb drives, giving a hint about how the UEFI rootkit can be deployed.

To prevent such infections, Trend Micro advises users to enable the UEFI SecureFlash option, to set up a BIOS/UEFI password and to update the firmware to its latest version so that it has the latest security patches. 

PCWorld

 

« Finland – Prolific Hacker Arrested & Sentenced
Delivered: America’s Drone Debut »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Dome9

Dome9

Dome9 is a cloud firewall management service that stops vulnerabilities, secures remote access, and centralizes policy management.

Applicure Technologies

Applicure Technologies

Applicure Technologies develops the leading multi-platform web application security software products to protect web sites and web applications from external and internal attacks.

Commissum

Commissum

Commissum specialise in information assurance and security testing services.

AcceptLocal

AcceptLocal

AcceptLocal is a payments industry consultancy with expertise in payment processing, payment security, anti-money laundering and fraud prevention.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

Cyber Craft

Cyber Craft

CyberCraft is an innovative and dynamic software development, outsourcing and consulting company. Services offered include penetration testing.

Advens

Advens

Advens is a company specializing in information security management. We provide Consultancy, Security Audits and Technology Solutions.

Swascan

Swascan

Swascan is the first all-in-one, GDPR Compliant, Cloud Security Suite Platform. GDPR Assessment, Web Application Scan, Network Scan, Code Review.

Proton Data Security

Proton Data Security

Proton Data Security is a certified small business specializing in the design, manufacturing and sales of data security products for permanent erasure of hard drives, tapes and optical media.

Bfore.ai

Bfore.ai

Stop future attacks, today. Bfore.ai is an operational threat intelligence feed to add predictive technology to your security infrastructure.

Truvantis

Truvantis

Truvantis is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization’s infrastructure, data, operations and products.

National Cybersecurity Alliance

National Cybersecurity Alliance

The National Cybersecurity Alliance is a non-profit organization on a mission to create a more secure, interconnected world.

SecureChain AI

SecureChain AI

SecureChain are combining blockchain and AI technology to create a smarter blockchain platform especially in terms of security.

Mobb

Mobb

Mobb's AI-powered technology automates vulnerability remediations to significantly reduce security backlogs and free developers to focus on innovation.

Radiant Security

Radiant Security

Radiant Security offers an AI-powered security co-pilot for Security Operations Centers (SOCs). Reinforce your SOC with an AI assistant.