It uses low-level malware attachments
Once an attacker is able to execute malicious code within SMM they may be able to inject persistent malware within UEFI, but this depends on the platform configuration, as UEFI may have additional protections such as AMD’s ROM Armor, which controls access to the flash SPI. memory where UEFI is stored.
However, ROM Armor is a new feature and is not available on most computers affected by the vulnerability. Another feature that can prevent malware within UEFI is Platform Secure Boot, which establishes a cryptographic chain of trust for the UEFI firmware code; but this is not available or not allowed on all systems.
Even if these features are enabled, attackers can at least break Secure Boot, which is intended to protect the integrity of the OS boot process and only allow signed bootloaders to boot. By defeating Secure Boot, attackers can use a boot-level rootkit, or bootkit, that will run before the OS kernel starts and control the entire system, able to hide processes and files from any OS-level security product.
Source link