@thor @inference The most impressive malware I've encountered in the wild was something that sounded much like MosaicRegressor. Kaspersky Labs found the aforementioned malware on a diplomats computer and they were unable to do much analysis on it.
What I encountered was modular, flexible, persistent but able to erase evidence. The malware infected the computer but what it did next was insane.
So I was around a company when someone complained that their computer wouldn't work with a recent hardware change. The company didn't mind me taking a look. It's just not loading the driver or it needs to be configured.
I worked on that computer for around 72 hours over 5 days. I didn't determine that it had malware until about 5 hours in and I didn't realize that it was related for a few more minutes.
So what I discovered was something that managed to infect all the way into UEFI with the latest security module and latest generation of chipset. I didn't have the ability to take it apart so I could clone the SOIC and it was the newer one with more pins.
I could get around the malware for most things after I used a trick on UEFI that stops the secure boot sequence. I was able to boot Ubuntu (signed by Microsoft) after this. The hardware was perfectly fine and functional, I watched the network traffic and it was normal. Back in Windows I had a thought as the internet stopped working on it within the first hour and I analyzed the network traffic. There was network traffic, connections to servers, RX TX and yet the OS acted like it had no connection.
I think it was closer to 96 hours of work to get it fixed. I had my whole kit with me. It was really labor intensive but I am sure that I got rid of it as it was. It could have just patched itself and remained hidden but I took precautions. It was also flagged by IT after I reported what I found. It's likely still being monitored.
In conclusion, I discovered something in the wild that I had never heard of before. This was more professional than some of the software used to manage servers. The only reason I discovered it was because it cut network access and blocked other boot media that was whitelisted. It wasn't sluggish, using excessive resources nor causing any other issues.
