Hacking Team Malware Hides in BIOS to Survive PC Reinstalls

[Karamjit]

Hackers employ UEFI BIOS rootkit to make sure their malware remains in the victim's PC after a reinstall

With every new day, more and more details are emerging from the Hacking Team data leak, and Trend Micro researchers have now announced they've found a way through which the group managed to install malware that survived operating system reinstalls.

Using a UEFI BIOS rootkit, the Hacking Team group created a module for their Remote Control System (Galileo) surveillance software, which would check to see if the OS was infected with its malware agent every time the user rebooted the PC and would re-infect the system if its agent was missing.

Physical access was needed to the target computer

Using a slideshow presentation from the 400GB data leak, Trend Micro researchers have identified a procedure through which this was carried out.

The installation required three files to be copied on the target's computer. While the Hacking Team presentation guarantees this would only work if physical access was provided to the computer, Trend Micro researchers "can’t rule out the possibility of remote installation," which in theory could happen.

The three modules in question are Ntfs.mod which would allow the modified UEFI BIOS to read & write NTFS files, Rkloader.mod which interconnects the UEFI events to system boots, and dropper.mod, a simple malware dropper kit that placed scout.exe on the user's computer, if it wasn't present already.

scout.exe was usually installed in "\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6To_60S7K_FU06yjEhjh5dpFw96549UU," while the UEFI rootkit only checked for the presence of a second file, soldier.exe, but its source code did not reveal any installation procedures.

A surveillance system advertised for government agents

The UEFI BIOS rootkit was a perfect module for the group's Remote Control System, a surveillance software advertised as "The Hacking Suite for Governmental Interception."

This module would allow government agencies to make sure their spying tools remained on the victims computer for a long while, all after a casual inspection of the person's computer in airports or after serving a warrant.

The Hacking Group went so far to provide support for this module, whenever clients found the rootkit was incompatible with one or more BIOS images.

According to Trend Micro, the rootkit worked with Insyde BIOS and AMI BIOS images, currently deployed with laptops and workstations sold by companies like Dell, HP, and Lenovo.

From

[Chancer]

Cat and mouse

[straycat19]

This requires the RCS to be installed on the computer, which, by reading other information from the leak, is done via email attachments. So, if like me, you use an android tablet to read all your email accounts, your computer can never be infected via email. That just leaves downloads, drive-by or otherwise, and if you block software from running from the appdata folder then their RCS system cannot run either. Though I will admit it is a pain that software upgrades that download to the appdata folder will not run so they have to be moved in order to run them.

[CODYQX4]

We need a PC with a hardware BIOS update switch (not for noobs). Make it physically impossible to update the BIOS without a mechanical switch to do so, and malware can't just overwrite your BIOS/EFI at will.

[212eta]

BIOS Infections are among the worst ones... :yes: