Intel Security Release MacOSX New Detection Tool for EFI Rootkits.Wikileaks Vault7 documents shown that CIA was working on two EFI rootkits. first one is named DerStarke, which the CIA describes as an "Apple EFI implant via flash unlock," while the second is named QuarkMatter, and is an "Apple EFI implant via EFI system partition."
What is EFI/UEFI?The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the Basic Input/Output System (BIOS) firmware interface originally present in all IBM PC-compatible personal computers, with most UEFI firmware implementations providing legacy support for BIOS services. UEFI can support remote diagnostics and repair of computers, even with no operating system installed.
Intel said, they have developed a simple module for CHIPSEC framework that can be used to verify the integrity to RFI firmware executables on potentially impacted systems.
What is CHIPSEC?CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities. It can be run on Windows, Linux, Mac OS X and UEFI shell. And its used for security purposes.
In the recent disclosures, another EFI firmware malware for Mac OSX systems, DarkMatter, has surfaced. It appears to include multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection, said in Intel blog.
If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.
EFI firmware malware is a new frontier for stealth and persistent attacks that may be used by sophisticated adversaries to penetrate and persist within organizations and national infrastructure for a very long time. Use open-source CHIPSEC to defend from this threat and stay safe.
However, Apple already have patched exploits after recent CIA leaked documents.