So far, the only info are these tweets:
#ESETresearch identified multiple malicious EFI bootloader samples. The malware displays a ransom message and prevents the computer from booting. It can compromise computers with disabled #UEFI Secure Boot feature @cherepanov74 @smolar_m 1/4 pic.twitter.com/DgQSA75Vo6
— ESET research (@ESETresearch) June 24, 2020
The dropper replaces the default EFI bootloader bootx64.efi and deletes Microsoft EFI modules on the EFI system partition in order to boot a malicious one. The replaced bootloader just displays a #ransom message and executes an infinite loop. 2/4 pic.twitter.com/dJANP5JK8f
— ESET research (@ESETresearch) June 24, 2020
IoCs:
5EC5710DDE5BB7448F7C7DF49283326D0F50A30B (Dropper)
Detection name: Win32/KillMBR.NDS
3/4— ESET research (@ESETresearch) June 24, 2020
EFI samples:
436E178BC3D4011EEA59B18220CA230768758C37
6094D6A4819E311359DDCE8A17172F7AE71D749C
7B2340867898E82224BEC29BE8C9FB7200009887
A366CE39E66DC44435D625FDA3309E2832FB1684
E24BA8864D8950E83D2693F454C5F109A7DE7B7C
Detection name: EFI/EFIlock #ESETresearch
4/4— ESET research (@ESETresearch) June 24, 2020
