In context: Safety agency ESET found the primary UEFI rootkit that had been used within the wild again in 2018. This kind of persistent risk was the topic of theoretical discussions amongst safety researchers, however over the previous years, it is develop into clear that it is much more frequent than beforehand thought, regardless of being comparatively onerous to develop.
This week, Kaspersky researchers revealed a brand new firmware rootkit dubbed “CosmicStrand,” which is believed to be the work of an unknown group of Chinese language malicious actors.
Researchers clarify that the rootkit was found in firmware pictures of a number of Asus and Gigabyte motherboards geared up with an Intel H81 chipset, one of many longest-living Haswell-era chipsets that was lastly discontinued in 2020.
Since UEFI firmware is the primary piece of code that runs whenever you flip a pc on, this makes CosmicStrand notably onerous to take away in comparison with different sorts of malware. Firmware rootkits are additionally more durable to detect and pave the way in which for hackers to put in further malware on a goal system.
Merely wiping the storage in your PC will not take away the an infection, and neither will changing storage units altogether. UEFI is basically a small working system that lives inside a non-volatile reminiscence chip, often soldered on the motherboard. Which means eradicating CosmicStrand requires particular instruments to reimage the flash chip whereas the PC is powered off. The rest would depart your pc in an contaminated state.
Up to now, it seems solely Home windows programs in international locations like Russia, China, Iran, and Vietnam have been compromised. Nonetheless, the UEFI implant has been used within the wild since late 2016, which raises the chance that such a an infection is extra frequent than beforehand assumed.
Again in 2017, safety agency Qihoo360 found what might have been an early variant of CosmicStrand. In newer years, researchers discovered further UEFI rootkits equivalent to MosaicRegressor, FinSpy, ESpecter, and MoonBounce.
As for CosmicStrand, it is a very potent malware that is lower than 100 kilobytes in measurement. Not a lot is thought about the way it ended up on the goal programs, however the way in which it really works is straightforward. First, it infects the boot course of by setting so-called “hooks” into sure factors of the execution circulate, thus including the performance the attacker wants to switch the Home windows kernel loader earlier than it’s executed.
From there, the attackers can set up one other hook within the type of a perform within the Home windows kernel that is known as in a subsequent boot course of. This perform deploys a shellcode in reminiscence that may contact a command-and-control server and obtain further malware on the contaminated PC.
CosmicStrand also can disable kernel protections like PatchGuard (generally known as Microsoft Kernel Patch Safety), which is an important Home windows safety function. There are additionally some similarities when it comes to code patterns between CosmicStrand and malware associated to the MyKings botnet, which has been used to deploy cryptominers on victims’ computer systems.
Kaspersky researchers are apprehensive that CosmicStrand could also be one in all many firmware rootkits which have managed to remain hidden for years. They word that “the a number of rootkits found up to now proof a blind spot in our trade that must be addressed sooner slightly than later.”