You've Already Been Hacked: What if There Is a Backdoor in Your UEFI OROM?

While there have been several studies on inserting malicious code into UEFI OROM (Option ROM), none of them have focused solely on UEFI OROM itself; instead, OROM has been used for auxiliary purposes such as ensuring persistence or as a temporary buffer for lateral movement. Therefore, there is a lack of clarification on what actions a backdoor in UEFI OROM could perform and its potential benefits. This presentation aims to organize the benefits and infection scenarios of placing a backdoor in UEFI OROM. It will delve deeply into the stealthiness and potency of OROM backdoors, followed by demonstrations of three novel PoC OROM backdoors targeting Windows. This PoC utilizes multiple novel evasion techniques, including communication with a C2 server during boot, execution of malicious code at both kernel and userland levels solely through a runtime DXE driver, concealing malicious tasks during the boot phase, and bypassing CFG/ACG using partial identity mapping. Lastly, strategies for defending systems against OROM backdoors will be discussed, along with an introduction to the research and initiatives needed for such protection. By: Kazuki Matsuo | Security Researcher, Waseda University and FFRI Security Full Abstract and Presentation Materials: https://ift.tt/5UVQBby

source https://www.youtube.com/watch?v=_S6EymfaBqQ