Report: Second-Ever Instance of UEFI Malware Discovered

Image: Gigabyte

We’ve learned the second instance of UEFI-level malware has been spotted in the wild – otherwise referred to as “rootkits”, dangerous malware that targets the foundation of your PC hardware.

The new find comes via computer security research group Kaspersky, who noted the new rootkit strain is dubbed “MosaicRegressor,” and like previous rootkit malware – it persists even after wiping your machine and reinstalling your operating system.

The discovery was made upon an investigation into non-government organizations being attacked. Due to the nature of this malware, the infected UEFI will retain the malware and re-infect any new operating systems and even harddrives. As the UEFI manages the literal bootup of your PC, infected UEFI will persist before antivirus or antimalware even comes into play.

Kaspersky noted they discovered the malware after looking into a bunch of strange looking UEFI firmware images (the actual code that runs the bootup sequel of your PC). They found many components of the rootkit were built upon leaked source code from HackingTeam’s VectorEDK bootkit, with some changes.

It remains unclear how this malware made its way into the wild, as typically getting rootkit malware onto a machine requires physical access to the machine, with a USB or other external media.

“Such a USB would contain a special update utility that can be generated with a designated builder provided by the company,” Kaspersky said. “We found a Q-flash update utility in our inspected firmware, which could have been used for such a purpose as well.”

The actual behavior of the rootkit is to “invoke a chain of events that would result in writing a malicious executable named ‘IntelUpdate.exe’ to the victim’s Startup folder,” followed by the implanting of the malware once Windows is booted up. Should the malware be removed, it will be rewritten from UEFI.

While most users – and readers of Niche Gamer – probably won’t have to worry about MosaicRegressor, it is very concerning that it exists. There is a possibility of it being deployed remotely, “perhaps through a compromised update mechanism.” We’ll keep you guys posted.

This is Niche Gamer Tech. In this column, we regularly cover tech and things related to the tech industry. Please leave feedback and let us know if there’s tech or a story you want us to cover!

Niche Gamer Staff


The premiere enthusiast gaming site and community for niche and unique video games across the globe.

Comment Policy: Read our comment policy and guidelines before commenting.