Malware Hides, Survives OS Reinstalls

Friday, July 17, 2015 @ 02:07 PM gHale

There is a way where the Hacking Team was able to install malware that survived operating system reinstalls, researchers said.

Using a UEFI BIOS rootkit, the Hacking Team group created a module for their Remote Control System (Galileo) surveillance software, which would check to see if the OS had its malware agent every time the user rebooted the PC and would re-infect the system if its agent was missing, said researchers at Trend Micro.

New Ransomware gets Tough
Insider Attacks Rise, Unaware of Risk
Small Risk Converts to Big Problem
Ransomware Version Costs U.S. Big Bucks

The researchers identified a procedure through which the attackers were able to carry out the infection.

The installation required three files to end up copied on the target’s computer. While Trend Micro said this would only work if physical access was available to the computer, researchers “can’t rule out the possibility of remote installation,” which in theory could happen.

The three modules in question are Ntfs.mod which would allow the modified UEFI BIOS to read and write NTFS files, Rkloader.mod which interconnects the UEFI events to system boots, and dropper.mod, a simple malware dropper kit that placed scout.exe on the user’s computer, if it wasn’t present already.

scout.exe was usually installed in “\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6To_60S7K_FU06yjEhjh5dpFw96549UU,” while the UEFI rootkit only checked for the presence of a second file, soldier.exe, but its source code did not reveal any installation procedures.

The UEFI BIOS rootkit was a perfect module for the group’s Remote Control System, a surveillance software advertised as “The Hacking Suite for Governmental Interception.”

This module would allow government agencies to make sure their spying tools remained on victims computer for a long while.

The Hacking Group went so far to provide support for this module, whenever clients found the rootkit was incompatible with one or more BIOS images.

The rootkit worked with Insyde BIOS and AMI BIOS images, currently deployed with laptops and workstations sold by companies like Dell, HP, and Lenovo, Trend Micro said.