Security researchers at antivirus maker Kaspersky have discovered a new UEFI firmware rootkit called “CosmicStrand” that has infected systems with Asus and Gigabyte motherboards.
For the inexperienced, the UEFI (Unified Extensible Firmware Interface) firmware is tasked with booting Windows computers, including loading the operating system, even before any system security measures.
As a result, malware placed in the UEFI firmware image is extremely difficult to detect, making it difficult to remove by reinstalling the operating system or even replacing the storage drive.
While the researchers were unable to determine how the victim machines were initially infected, an analysis of their hardware allowed the experts to discover which devices could be infected by the CosmicStrand.
They found the rootkit in the firmware images of older ASUS and Gigabyte motherboards, which are paired with hardware using the H81 chipset sold between 2013 and 2015. This suggests that a common vulnerability exists that allowed the attackers to inject their rootkit into the firmware. image.
“In these firmware images, changes have been made to the CSMCORE DXE driver, the access point of which has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain that results in the download and deployment of a malicious component in Windows,” reads the analysis published by the experts.
“Looking at the various firmware images we were able to obtain, we see that the changes may have been made with an automated patcher. If so, it would follow that the attackers had pre-access to the victim’s computer to extract, modify, and overwrite the motherboard’s firmware.”
Check out Kaspersky’s in-depth Securelist article detailing how the threat actors deliver the malicious payload at boot time:
The workflow consists of setting hooks sequentially, which makes the malicious code persist until after the operating system boots. The steps involved are:
- The initially infected firmware bootstraps the entire chain.
- The malware sets up a malicious hook in the boot manager, allowing it to modify the Windows kernel loader before running.
- Tampering with the OS loader allows the attackers to set up another hook in a function of the Windows kernel.
- When that function is called later during the normal operating system boot, the malware takes one last take control of the execution flow.
- It implements a shell code in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s computer.
While Kaspersky can’t determine how the rootkit got to the infected machines in the first place, some users reported receiving compromised devices after placing an order with a second-hand reseller.
According to the researchers, the UEFI firmware rootkit was mainly used to attack individuals in China, Vietnam, Iran and Russia without any link to any organization or industry.
Furthermore, Russian antivirus company CosmicStrand has linked to a Chinese-speaking actor based on the similarities seen in an earlier botnet called “MyKings” due to their code patterns.
“The most striking aspect of this report is that this UEFI implant appears to have been used in the wild since late 2016 – long before UEFI attacks were publicly described. This discovery raises one final question: If this is what the attackers were using then, what are they using? Today?” reads the analysis.
In 2017, an earlier variant of the malware was first spotted by Chinese security firm Qihoo360, who named it Spy Shadow Trojan. In recent years, researchers have found additional UEFI rootkits, such as MosaicRegressor, FinSpy, ESpecter, and MoonBounce.