Windows Boot Manager Hijacked by FinFisher Malware

Its creator claims it is only offered to agencies and organizations throughout the world, however cybersecurity firms have seen it being distributed through spearphishing campaigns and ISP infrastructure (ISPs).

Researchers Investigated the Bootkit

Because UEFI (Unified Extensible Firmware Interface) firmware is stored within SPI flash storage soldered to a computer’s motherboard, extremely persistent bootkit malware is impossible to remove by hard drive replacement or even OS re-installation.

During our , we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence.

Source

Bootkits are malicious malware placed in the firmware that is undetectable to security solutions within the because it is designed to load first in the booting process of a device, as they are able to

Read More: https://heimdalsecurity.com/blog/windows-boot-manager-hijacked-by-finfisher-malware/