Even the Windows Boot Manager isn’t safe from malware attacks. A new UEFI BootKit, called FinFisher, FinSpy, or Wingbird successfully compromises the pre-Windows PC startup environment.
Originally developed by Gamma Group, a very powerful surveillance solution seems to be making its way into the hands of Malware creators, and operators of Ransomware services.
New UEFI BootKit loading FinSpy successfully compromises Windows Boot Manager:
Commercially developed FinFisher malware is now infecting Windows PCs. The malware relies on UEFI BootKit, which it successfully injects into the Windows Boot Manager.
Kaspersky researchers have revealed about the concerning developments, which could be very difficult to detect and mitigate: “During our research, we found a UEFI BootKit that was loading FinSpy. All machines infected with the UEFI BootKit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one.”
Kaspersky Lab researchers find new FinFisher spyware with "high emphasis on defense evasion, making [it] one of the hardest-to-detect spywares to date."https://t.co/zE3pRykLst
— Lorenzo Franceschi-Bicchierai (@lorenzofb) September 28, 2021
“This method of infection allowed the attackers to install a BootKit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence.”
UEFI stands for Unified Extensible Firmware Interface. It is the successor to BIOS (Basic Input Output System). These are simple yet critical firmware that loads before Windows or any other operating system starts.
#FinFisher #FinSpy #TheSAS2021 Blog: https://t.co/zXGiPAlozQ pic.twitter.com/B9NhUxrdsg
— Eugene Kaspersky (@e_kaspersky) September 28, 2021
A UEFI firmware resides within SPI flash storage. Simply put, the firmware does not load from a Boot Disk. Instead, manufacturers permanently solder the flash storage onto the motherboard.
Needless to mention, any piece of malware infecting the Bootloader is very difficult to detect and remove. Replacing Boot Disks or even reinstalling the operating system does not help.
How does a UEFI BootKit find its way onto a motherboard’s soldered SPI flash storage?
BootKits are malicious code planted in the UEFI firmware of a motherboard. Hence, they remain invisible to security solutions that start protecting the operating system after the PC starts functioning.
BootKits provide attackers unhindered control over an operating systems’ boot process. Needless to add, this can potentially allow attackers to even bypass the Secure Boot mechanism, depending on the boot sequence and configuration.
More on the #FinFisher Trojan via @2igosha #TheSAS2021 https://t.co/tnpEvEzQ0L pic.twitter.com/kJl5z0QJ36
— Kaspersky (@kaspersky) September 28, 2021
Such a piece of malware, and infections, are extremely rare. Usually, state-sponsored cybercriminals and hackers have access to a UEFI BootKit. Such malware is used very selectively to compromise devices of high-value targets.
The FinFisher, FinSpy, or Wingbird UEFI BootKit, however, did not infect the UEFI firmware. It places itself in between the UEFI boot-up sequence and the operating system’s startup process.
FinFisher malware hijacks Windows Boot Manager with UEFI bootkit – https://t.co/PsBtO7P6kj#worldwidetweets pic.twitter.com/ublryWIUfz
— WorldWide Tweets (@WorldWideTweet3) September 28, 2021
The BootKit reportedly installed itself on a separate partition and “could control the boot process of the infected machine,” indicated Kaspersky researchers.
Given the level of sophistication, it is unlikely the FinSpy UEFI BootKit will make its way to the Dark Web for mass deployment. However, it is important that PC users regularly update their devices, and more specifically, use a reliable antivirus solution.