Cythera Cyber Security

Malware That Lives Beyond OS Rebuild

Normally if your machine is infected with malware, you can simply reinstall Windows, and the problem is solved, right? Not with this type of malware.
Talk to an expert

Malware Security

Normally if your machine is infected with malware, you can simply reinstall Windows, and the problem is solved, right? Not with this type of malware.

Kaspersky Lab have discovered a trojan known as IntelUpdate.exe which establishes persistence by placing itself in the firmware of the endpoint. It does this by exploiting the UEFI, the software used to boot up your Windows computer, which is obviously separate to the physical drive that it boots from, meaning this trojan can survive a reinstall, alongside evading traditional antivirus solutions.

IntelUpdate.exe can be located in the Startup Folder and will reinstall itself even if it is deleted, that’s assuming the user is able to detect the malware in the first place.

The main motivation behind this attack relates to the threat actor being able to spy on activity, scan documents and send them to an unknown host, most likely a command and control server.

Whilst the attack chain hasn’t been fully identified, there have been links to execution of the attack through a USB thumb drive. There would also be scope to execute this attack via a phishing email to execute remote code to establish persistence on the endpoint.

Ultimately you want to avoid this type of attack in the first place.

In the instance that you are subject to this type of attack, you will need to update the BIOS of the device to the latest legitimate version.

To give your device the best opportunity to prevent this attack and other specifically crafted attacks, following the steps below will assist in mitigating risk:

  • Ensure your BIOS firmware is up to date
  • Patch your device with the latest updates
  • Have an up-to-date next-gen antivirus solution to help block any malicious execution
  • Avoid the use of USBs and steer clear of plugging in rogue USBs into your device
  • Have a mail filter in place to mitigate inbound phishing emails
  • Ignore unknown senders and validate with known users sending unusual attachments

Reference – Kaspersky


Events

Latest events

Join Cythera experts for networking events, technical briefings, and hands-on workshops hosted throughout the year.
View all events
No items found.
Cyber security news

Latest advisories

Stay ahead of emerging threats with our expert blog posts, research, and industry updates.
Silverstripe - Host Header Injection
Silverstripe CMS is affected by a Host Header Injection flaw, which can be exploited to manipulate password reset workflows, potentially redirecting or compromising user data.
FarCry Core Framework - Multiple Issues
FarCry Core contains multiple vulnerabilities that could let unauthenticated users upload arbitrary files and execute remote code on the hosting server.
Silverstripe – Cross-Site Scripting (XSS) Vulnerability
With local organisation admin credentials, an attacker can exploit the API to create, delete, or revert virtual machine snapshots in other organisations’ Virtual Data Centres (VDCs), breaching isolation boundaries.