
Custom-made UEFI bootkit found lurking in the wild
Attackers are going to great lengths to gain the highest level of persistence.

Analysis eventually showed that each time the firmware ran, it checked to see if a file titled IntelUpdate.exe was inside the Windows startup folder. If it wasn’t, the UEFI image would put it there. IntelUpdate.exe, it turned out, was a small but important cog in a large and modular framework built for espionage and data gathering. IntelUpdate.exe acted as the first link in a long chain. It reported to an attacker-controlled server to download another link, which in turn, would download other links, all of which were customized to the profile of the person being infected.