Skip to content

A China-Linked Group Repurposed Hacking Team’s Stealthy Spyware

When a hacking organization’s secret tools are stolen and dumped online for anyone to pick up and repurpose, the consequences can roil the globe. Now one new discovery shows how long those effects can persist. Five years after the notorious spy contractor Hacking Team had its code leaked online, a customized version of one of its stealthiest spyware samples has shown up in the hands of possibly Chinese-speaking hackers.

At an online version of the Kaspersky Security Analyst Summit this week, researchers Mark Lechtik and Igor Kuznetsov plan to present their findings about that mysterious malware sample, which they detected on the PCs of two of Kaspersky’s customers earlier this year.1 The malware is particularly unusual—and disturbing—because it’s designed to alter a target computer’s Unified Extensible Firmware Interface, the firmware that is used to load the computer’s operating system. Because the UEFI sits on a chip on the computer’s motherboard outside of its hard drive, infections can persist even if a computer’s entire hard drive is wiped or its operating system is reinstalled, making it far harder to detect or disinfect than normal malware.

The malware the Kaspersky researchers discovered uses its UEFI foothold to plant a second, more traditional piece of spyware on the computer’s hard drive, a unique piece of code Kaspersky has called MosaicRegressor. But even if that second-stage payload is discovered and wiped, the UEFI remains infected and can simply deploy it again. “Even if you would take the physical disk out and replace it with a new one, the malware will keep reappearing,” says Lechtik, who along with Kuznetsov works as a researcher on Kaspersky’s Global Research and Analysis Team. “So I think to date, it’s the most persistent method of having malware on your device, which is why it is so dangerous.”

The new UEFI malware is based on a hacking tool known as VectorEDK, created by Hacking Team, the now defunct hacking-for-hire contractor based in Italy. Hacking Team was breached in 2015 by the hacktivist known as Phineas Fisher, who stole and leaked a vast collection of the company’s internal emails as well as the source code for many of its hacking tools, including VectorEDK. That tool, which was intended to be installed with physical access to a target machine, has now been repurposed, with some customizations that change where the UEFI malware places its secondary malware payload on the victim’s hard drive.

Kaspersky says it found the UEFI malware on PCs used by diplomatic targets in Asia, but declined to say more about those victims, and it concedes that it doesn’t know how the UEFI malware first got there. But Kaspersky did find that the MosaicRegressor payload that the UEFI malware subsequently planted on those machines also appeared on other victims’ computers around the world, including on those of diplomats and NGO staff in Africa, Asia, and Europe, all of whom had worked on issues related to North Korea, Kaspersky says.

Some of those instances of MosaicRegressor were delivered not by any sort of UEFI malware but with more typical phishing emails in Russian and English that carried malicious attachments posing as North Korea–related documents. That MosaicRegressor payload came in the form of a downloader capable of installing new modular components of the malware from a remote server, and the Kaspersky researchers say they weren’t able to obtain most of those components. But they did see signs in some cases that the hackers had carried out the typical espionage tactic of collecting and compressing files to ferret back to a server they controlled.

As for the identity or nationality of the hackers behind the new UEFI malware, Kaspersky says it’s found only sparse clues, none definitive enough to conclusively link the hackers to a known group. But the researchers note multiple language hints in the hackers’ code: one that indicates they wrote in either Korean or Chinese, and another that suggests more clearly they wrote in the simplified Chinese used in mainland China. Kaspersky also observed that the hackers appear to have used a document-builder tool called Royal Road that’s popular among Chinese-speaking hackers.