Some comments from Yuriy of the Intel ATR team:
DerStarke 2.0 appears to include darkmatter Mac EFI persistence implant with 8 DXE & PEI EFI binaries with heavy use of EFI vars for config pic.twitter.com/7kZxjYPS7J
— Yuriy Bulygin (@c7zero) March 8, 2017
So the first EFI malware that doesn't rely on fully unlocked flash or physical access like e.g. HackingTeam's UEFI rootkit?
— Yuriy Bulygin (@c7zero) March 8, 2017
S3Sleep is most interesting. Launches DarkDream exploit which prob bypasses flash protections? on resume from S3 sleep to write PeiUnlocker
— Yuriy Bulygin (@c7zero) March 8, 2017
DxeInjector module seems to be used to "re-infect" EFI firmware updates (capsules) with implants already "installed" in the firmware
— Yuriy Bulygin (@c7zero) March 8, 2017
PeiUnlock is a temporary firmware flash unlocker dropped by DarkDream exploit then removed after permanently patching flash locking DXE drvr
— Yuriy Bulygin (@c7zero) March 8, 2017
Firmware Security 