14 DAY TRIAL // With every new day, more and more details are emerging from the Hacking Team data leak, and Trend Micro researchers have now announced they've found a way through which the group managed to install malware that survived operating system reinstalls.
Using a UEFI BIOS rootkit, the Hacking Team group created a module for their Remote Control System (Galileo) surveillance software, which would check to see if the OS was infected with its malware agent every time the user rebooted the PC and would re-infect the system if its agent was missing.
Physical access was needed to the target computer
Using a slideshow presentation from the 400GB data leak, Trend Micro researchers have identified a procedure through which this was carried out.
The installation required three files to be copied on the target's computer. While the Hacking Team presentation guarantees this would only work if physical access was provided to the computer, Trend Micro researchers "can’t rule out the possibility of remote installation," which in theory could happen.
The three modules in question are Ntfs.mod which would allow the modified UEFI BIOS to read & write NTFS files, Rkloader.mod which interconnects the UEFI events to system boots, and dropper.mod, a simple malware dropper kit that placed scout.exe on the user's computer, if it wasn't present already.
scout.exe was usually installed in "\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6To_60S7K_FU06yjEhjh5dpFw96549UU," while the UEFI rootkit only checked for the presence of a second file, soldier.exe, but its source code did not reveal any installation procedures.
A surveillance system advertised for government agents
The UEFI BIOS rootkit was a perfect module for the group's Remote Control System, a surveillance software advertised as "The Hacking Suite for Governmental Interception."
This module would allow government agencies to make sure their spying tools remained on the victims computer for a long while, all after a casual inspection of the person's computer in airports or after serving a warrant.
The Hacking Group went so far to provide support for this module, whenever clients found the rootkit was incompatible with one or more BIOS images.
According to Trend Micro, the rootkit worked with Insyde BIOS and AMI BIOS images, currently deployed with laptops and workstations sold by companies like Dell, HP, and Lenovo.
