Windows Boot Manager Hijacked by FinFisher Malware

The FinFisher surveillance solution was developed by the Gamma Group but it also comes with malware-like capabilities often found in spyware strains.

Its creator claims it is only offered to government agencies and law enforcement organizations throughout the world, however cybersecurity firms have seen it being distributed through spearphishing campaigns and ISP infrastructure (ISPs).

Researchers Investigated the Bootkit

Because UEFI (Unified Extensible Firmware Interface) firmware is stored within SPI flash storage soldered to a computer’s motherboard, extremely persistent bootkit malware is impossible to remove by hard drive replacement or even OS re-installation.

During our research, we found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. This method of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence.

Source

Bootkits are malicious malware placed in the firmware that is undetectable to security solutions within the operating system because it is designed to load first in the booting process of a device, as they are able to

Read More: https://heimdalsecurity.com/blog/windows-boot-manager-hijacked-by-finfisher-malware/