Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities in popular hardware, Intel Security has pushed out a tool to check for such rootkits.
The Vault 7 leaks suggest that the CIA has been able to produce EFI (Extensible Firmware Interface) rootkits for MacBooks called DarkMatter.
Intel Security has released tool to check for such rootkits, although Apple issued a statement earlier this week indicating that it had addressed "many of the issues" exposed by WikiLeaks.
EFI is the firmware that replaces the old-fashioned BIOS on computers. Various rootkit exploits allows the attacker to inject code that will then be run before the operating system itself launches. Working on a kernel level, rootkits evade easy detection and could also survive hard disk formats.
According to Intel, DarkMatter includes multiple EFI executable components that it injects into the EFI firmware on a target system at different stages of infection. If one has generated a whitelist of known good EFI executables from the firmware image beforehand, then running the new tools.uefi.whitelist module on a system with EFI firmware infected by the DarkMatter persistent implant would likely result in a detection of these extra binaries added to the firmware by the rootkit.
According to Intel, the open-source CHIPSEC can help you defend from this threat and stay safe.