MosaicRegressor Malware

Malwares aren’t going anywhere. Today’s news cycles, especially during the COVID-19 pandemic, seem to be full of cyber incidents. One such malware MosaicRegressor, the Second-Ever Windows Unified Extensible Firmware Interface (UEFI) Rootkit that can stay on the motherboard flash memory located in the BIOS region of the PC, was found recently.

One other known instance of a UETI bootkit named LoJax, in the form of patched UEFI modules, was last discovered in 2018 by ESET. The malicious MosaicRegressor’s UEFI firmware images have been modified by the injection of multiple modules that permit the deployment of malwares on target devices.

MosaicRegressor, specifically, features multiple downloaders with numerous intermediary loaders for extensive payloads that can leave wide-ranging implications on victim devices. Aimed at espionage and data gathering purposes, MosaicRegressor has been found with targets on diplomatic institutions and NGOs in Asia, Europe, and Africa.

This advisory by SISA covers an in-depth preview of MosaicRegressor malware and its nature, the related scope of problem and possible implications, and recommendations on ways to respond to the MosaicRegressor malware. The next steps elaborated in this advisory also include determining how to guard against the MosaicRegressor malware within the context of a comprehensive cybersecurity program.

This technical advisory was proposed and researched by Ananya, Security Analyst at SISA’s Synergistic-SOC.