A Persistent Malware – surviving an OS reformat

October 8, 2020
persistent malware trojan survive os reformat antimalware antitrojan solutions

A persistent malware that can survive reformats

A not so new kind of threat emerged in the headlines of many cybersecurity outlets, as an expose of a persistent malware that can survive even OS reinstall is currently on the loose. Now that Malware can persist even after a reformat can be considered formidable. Beware that this type of stealth and resiliency is possible for abuse and utilized by a different malware attack type. We fear most of this type of payload, where financial and login credentials are the target of crafty malware authors.

Ransomware that can exfiltrate data on top of a ransom can use this resiliency and stealth technique using a logic that may “reinfect” the machine after a set period. What is worse is when a crafty cybercriminal will write ransomware with a command center where the author can freely update it and enter more commands.

Spyware that can remain in the disc drive to continuously spy on a machine.


It goes undetected by hiding

Kaspersky, the cybersecurity firm specializing in Malware detection and analysis, exposed the Malware, where they say that the origins of the malicious program came from a Chinese speaker. It is too early to tell whether the hacker itself is from China or an APT member.

The Malware embeds and hides within a drive’s UEFI (Unified Extensible Firmware Interface).


persistent malware survives OS reformat


Yes, you got it right. The malicious program can live right where the memory relies on starting up your machines. The program deploys another trojan called “IntelUpdate.exe” in the startup folder where it can come back regardless of whether it is deleted by a user or Anti-virus software.

The deployed trojan we mentioned can be detected by an anti-malware app, that is for sure. However, the root-cause that resides within the UEFI is unremovable through this method. We may only remove the Malware by removing the malicious firmware itself. Not the hard drive where the Operating System is stored. We can confidently say that the UEFI based attack is determined to deliver and inject more hacking tools on a victim’s computer.

If it is not APT, then it could be from Wintti, which is known as a Chinese state-sponsored hacking organization. The security firm got hold of evidence that the writers used the Chinese language while programming the code. Worse than finding out that the coder speaks Chinese is the payload communicates through a command and control server.


Security must be tough

iZOOLogic’s advice is to keep your machines secure by refraining from connecting to public networks that offer a free internet connection. Avoid indiscriminately plugging in devices that came from a stranger or even from a colleague where these devices are not recognized nor authorized by your IT security team. Limit the installed software and programs that are installed on your machines. Again, it will be best to use resources approved by the security experts in your work environment. For general users, avoid utilizing free software that came from an unreliable source.

About the author

Leave a Reply