Quote:A firmware bootkit has been spotted in the wild, targeting diplomats and members of non-governmental organizations (NGOs) from Africa, Asia and Europe. It has turned out to be part of a newly uncovered framework called MosaicRegressor.
According to researchers from Kaspersky, code artifacts in some of the framework’s components and overlaps in command-and-control (C2) infrastructure suggest that a Chinese-speaking group with connections to the Winnti backdoor is behind the attacks. Kaspersky observed several dozen victims who received components from the MosaicRegressor framework between 2017 and 2019 – all of whom had ties to North Korea.
“Based on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK, be it non-profit activity related to the country or actual presence within it,” Kaspersky said.
This focus on North Korea-related victims was reinforced by emails used to deliver the malware. These contained self-extracting (SFX) archives pretending to be documents discussing various subjects related to North Korea. Those were bundled with both an actual document and MosaicRegressor variants, both of which execute when the archive is opened. “Based on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK, be it non-profit activity related to the country or actual presence within it,” Kaspersky said.
This focus on North Korea-related victims was reinforced by emails used to deliver the malware. These contained self-extracting (SFX) archives pretending to be documents discussing various subjects related to North Korea. Those were bundled with both an actual document and MosaicRegressor variants, both of which execute when the archive is opened.
Read more: https://threatpost.com/bootkit-malware-n...ts/159846/
![[-]](https://www.geeks.fyi/images/collapse.png)
