A “new” class of malware hit the Cyberspace that is designed to live off the land in host machines’ UEFI BIOS chip memory.

Kaspersky Lab, the Russian multinational that has its roots in FAPSI and then FSB laboratories of the late 80s and early 90s should not be surprised much, as such low-level attack vectors were already around in those days.

In the last week, Kaspersky Lab identified a malware that can survive Windows OS reinstalls, because it persists in the Serial Peripheral Interface Bus flash memory of the motherboard.

Serial flash is a small, low-power flash memory providing only serial access to data – rather than addressing individual bytes, it is possible to read/write large contiguous groups of bytes in the address space serially. It is a legacy of the cost reduction drive in form factor design as serial flash transmits and receives data one bit at a time translating into a reduction in board space, power consumption and consequently total system cost.

The way how SPI flash is utilized for malicious goals is usually to use its ability to shadow code stored in the SPI flash into the RAM. Technically it works in the same way how device managers/drivers are stored in the firmware and then copied into the SDRAM or SRAM when the device is powered-up.

Only in this scenario it is not a device driver, but a malware that is persistently loaded into the RAM during the boot-up sequence.

And loaded before the OS could do so… meaning that there is no way for OS, antivirus, ATP or EDR applications to thwarth such a malware from persisting on a system.

Kaspersky Lab alleges that the new malware strain is coming out of the PRC, which may or may not be the case, but this very technique is only as new as the 8086 family… some 40 years old… and is around for targeted actions on all continents.