CosmicStrand UEFI rootkit found on ASUS and Gigabyte motherboards

CosmicStrand UEFI rootkit found on ASUS and Gigabyte motherboards

Image:
CosmicStrand UEFI rootkit found on ASUS and Gigabyte motherboards

Malware found in the firmware images of Gigabyte or ASUS motherboards with the Intel H81 chipset

Researchers from Kaspersky have discovered a new kind of powerful Unified Extensible Firmware Interface (UEFI) firmware rootkit known as CosmicStrand, which they attribute to an unidentified Chinese-speaking threat actor.

The malware was found in the firmware images of Gigabyte or ASUS motherboards with the Intel H81 chipset, according to the researchers, who say they were unable to identify the initial attack vector.

The researchers believe a common vulnerability may have enabled the attackers to inject their rootkit into the firmware's image.

The Unified Extensible Firmware Interface (UEFI) is important software that resides inside a flash memory chip, soldered to a computer's motherboard. It is the first software to execute when a system boots up, allowing it to access and control all hardware components as well as various parts of the machine's operating system.

Because UEFI lives inside a memory chip, malware injected into it can survive reboots, formats and OS reinstalls, enabling threat actors to maintain their presence on compromised machines.

Due to the high level of complexity involved in their creation, UEFI rootkits are very rarely seen in the wild.

In 2017, Qihoo 360 discovered the first UEFI rootkit, called Spy Shadow Trojan, which was being used by a China-backed advanced persistent threat (APT) group. Kaspersky researchers believe CosmicStrand is linked to Spy Shadow Trojan rootkit.

The recently uncovered CosmicStrand rootkit features a lengthy and intricate execution chain, whose ultimate objective is to install a kernel-level implant on Windows systems while remaining undetected and persistent for as long as possible.

Setting up hooks to alter the operating system loader and take over the whole execution flow to launch the shellcode that retrieves the payload from the command and control server constitutes the entire procedure.

The hacked firmware images have a modified CSMCORE DXE driver, which permits a legacy boot process, according to Mark Lechtik, a former Kaspersky reverse engineer who was involved in the research and is now at Mandiant.

"This driver was modified so as to intercept the boot sequence and introduce malicious logic to it," Lechtik stated.

Based on code similarities that were also detected in the MyKings cryptomining botnet, where malware specialists at Sophos discovered Chinese-language artefacts, the Kaspersky researchers were able to link CosmicStrand to a Chinese-speaking actor.

CosmicStrand UEFI firmware rootkit has been in use since the end of 2016 and may persist on the system for the whole of the system's lifetime.

The victims of the CosmicStrand are private individuals residing in China, Vietnam, Iran and Russia, and are said to have no apparent links to any organisation or industry vertical.