August 27, 2021

Nation state attacker Sednit used a DXE rootkit to drop user-mode executables. Why not just use the driver?


I’ve asked this here before and elsewhere and gotten no answer. Let’s try again, this is a burning question about exploitation fundamentals.

Reference [this breakdown at Black Hat](https://youtu.be/sObGrnesxv4) of an alleged nation-state actor Sednit’s 2016 attack against the DNC resulting in indictments of Russian citizens by the US govt.

Edit: I think the analysts don’t outright say this specific attack is the very same DNC email exfiltration, but they seem to strongly allude to it.

1. The attackers install a binary ReWriter_binary.exe, leveraging the legitimate driver from [RWEverything](https://www.basicinputoutput.com/2017/08/rweverything-yes-everything.html?m=1). This binary accesses SPI flash memory to dump the host’s firmware to disk.

2. ReWriter_binary.exe then writes a UEFI rootkit into those firmware contents and writes the modified firmware back to SPI flash. Specifically, the rootkit it written to a volume containing other DXE drivers or the DXECore, whichever has space.

2. The attackers leverage the malicious DXE driver to replace autochk.exe with a payload.

3. The attackers inject what the analysts refer to as a “small agent” (I wasn’t able to find a reference for this term so I assume it merely means a small executable) rcpnetp.exe as a service.

4. Rcpnetp.exe injects a .dll into svchost which then communicates with a Command and Ctrl server to download and install yet another component the analysts refer to as a “full recovery agent”.

Where I’m confused is Step 1. With a malicious DXE driver in place, one already has full access to storage, memory, network, execution. Rather than drop all these files one can interface directly with the network card, read storage, and skip using any system calls which might otherwise be logged.

But these are nation state actors, so there must be a good reason to drop files rather just executing from kernel-mode in the DXE driver with all the associated advantages.

The only guess I’ve come up with is one of performance. I’m just beginning to learn UEFI development and am unclear on the performance implications of using a DXE driver. However, it seems to me that a rootkit would have no problem injecting desired code into other processes if there were some performance benefit. I don’t see this as being the answer.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.