Windows Boot Manager infected with UEFI BootKit can effectively bypass firmware security checks: FinFisher, FinSpy or Wingbird is new malware, security threat?

FinFisher FinSpy UEFI BootKit Malware Virus Trojan
A UEFI BootKit Malware Pic credit: Paul Schultz/Flickr

Even the Windows Boot Manager isn’t safe from malware attacks. A new UEFI BootKit, called FinFisher, FinSpy, or Wingbird successfully compromises the pre-Windows PC startup environment.

Originally developed by Gamma Group, a very powerful surveillance solution seems to be making its way into the hands of Malware creators, and operators of Ransomware services.

New UEFI BootKit loading FinSpy successfully compromises Windows Boot Manager:

Commercially developed FinFisher malware is now infecting Windows PCs. The malware relies on UEFI BootKit, which it successfully injects into the Windows Boot Manager.

Kaspersky researchers have revealed about the concerning developments, which could be very difficult to detect and mitigate: “During our research, we found a UEFI BootKit that was loading FinSpy. All machines infected with the UEFI BootKit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one.”

“This method of infection allowed the attackers to install a BootKit without the need to bypass firmware security checks. UEFI infections are very rare and generally hard to execute, and they stand out due to their evasiveness and persistence.”

UEFI stands for Unified Extensible Firmware Interface. It is the successor to BIOS (Basic Input Output System). These are simple yet critical firmware that loads before Windows or any other operating system starts.

A UEFI firmware resides within SPI flash storage. Simply put, the firmware does not load from a Boot Disk. Instead, manufacturers permanently solder the flash storage onto the motherboard.

Needless to mention, any piece of malware infecting the Bootloader is very difficult to detect and remove. Replacing Boot Disks or even reinstalling the operating system does not help.

How does a UEFI BootKit find its way onto a motherboard’s soldered SPI flash storage?

BootKits are malicious code planted in the UEFI firmware of a motherboard. Hence, they remain invisible to security solutions that start protecting the operating system after the PC starts functioning.

BootKits provide attackers unhindered control over an operating systems’ boot process. Needless to add, this can potentially allow attackers to even bypass the Secure Boot mechanism, depending on the boot sequence and configuration.

Such a piece of malware, and infections, are extremely rare. Usually, state-sponsored cybercriminals and hackers have access to a UEFI BootKit. Such malware is used very selectively to compromise devices of high-value targets.

The FinFisher, FinSpy, or Wingbird UEFI BootKit, however, did not infect the UEFI firmware. It places itself in between the UEFI boot-up sequence and the operating system’s startup process.

The BootKit reportedly installed itself on a separate partition and “could control the boot process of the infected machine,” indicated Kaspersky researchers.

Given the level of sophistication, it is unlikely the FinSpy UEFI BootKit will make its way to the Dark Web for mass deployment. However, it is important that PC users regularly update their devices, and more specifically, use a reliable antivirus solution.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x

Warning: Undefined variable $posts in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309

Warning: Trying to access array offset on value of type null in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309

Warning: Attempt to read property "post_author" on null in /home/thetechherald/public_html/wp-content/themes/generatepress_child/functions.php on line 309