Chinese-speaking hackers since at least 2016 have been using nearly undetected malware in the firmware images of some motherboards, one of the most persistent threats known as the UEFI rootkit.
Researchers at cybersecurity firm Kaspersky dubbed it CosmicStrand but an earlier variant of the threat was discovered by Qihoo360 malware analysts, who called it the Spy Shadow Trojan.
It is unclear how the threat actor succeeded in injecting rootkit files into the firmware images of the target devices, but researchers discovered the malware on devices with ASUS and Gigabyte motherboards.
Mystery UEFI rootkit
Unified Extensible Firmware Interface (UEFI) software is what links a computer’s operating system to the underlying hardware firmware.
The UEFI token is the first code that is run during the computer’s boot sequence, before the operating system and available security solutions.
Malware implanted in a UEFI firmware image is not only difficult to identify, it is also very persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive.
Today, a report from Kaspersky provides technical details about CosmicStrand, from the infected UEFI component to deploying a kernel-level implant in Windows on every boot.
The whole process consists of setting hooks to modify the OS loader and controlling the entire execution flow to launch shellcode that fetches the payload from the C&C server.
Mark Lechtik, a former Kaspersky reverse engineer now at Mandiant, who was involved in the research, explains that the compromised firmware images come with a modified CSMCORE DXE driver, enabling an outdated boot process.
“This driver has been modified to intercept the boot sequence and introduce malicious logic to it,” Lechtik . notes In a tweet on Monday.
While the CosmicStrand variant discovered by Kaspersky is newer, researchers at Qihoo360 in 2017 revealed the first details about an early version of the malware.
Chinese researchers came up with the implant analysis after a victim reported that their computer had created a new account out of the blue and that the antivirus kept alerting malware infections.
According to their report, the hacked system ran on a used ASUS motherboard that the owner had purchased from an online store.
Kaspersky was able to determine that CosmicStrand UEFI rootkits had been placed in the firmware images of Gigabyte or ASUS motherboards with cross-architectures using the H81 chipset.
This refers to older devices between 2013 and 2015 that are mostly discontinued today.
It’s unclear how the implant was placed on infected computers because the process would involve either physical access to the device or through a previous malware capable of automatically patching the firmware image.
The victims identified by Kaspersky also provide few clues about the threat actor and its target since the identified infected systems belong to private individuals in China, Iran, Vietnam and Russia that cannot be linked to an organization or industry.
However, researchers linked CosmicStrand to a Chinese-speaking representative based on code patterns also seen in MyKings crypto bots, where malware analysts at Sophos found Chinese-language tools.
Kaspersky says the CosmicStrand UEFI firmware rootkit can persist on the system for the life of the computer and has been in operation for years, since the end of 2016.
UEFI malware is becoming more and more popular
The first widespread report of a UEFI root found in the wild, LoJax, came in 2018 from ESET and was used in attacks by Russian hackers in the APT28 group (also known as Sednit, Fancy Bear, and Sofacy).
Nearly four years later, UEFI malware attacks accounts in the wild frequently, and it wasn’t just advanced hackers that were exploring this option:
We learned of Kaspersky’s MosaicRegressor in 2020, although it was used in 2019 attacks against NGOs.
At the end of 2020, news emerged that TrickBot developers had created TrickBoot, a new module that scans compromised devices for UEFI vulnerabilities.
Another UEFI root suite was revealed in late 2021 to be developed by Gamma Group as part of its FinFisher monitoring solution.
That same year, details emerged from ESET about another bootstrap called ESPecter, believed to be primarily used for spying and with origins dating back to 2012.
MoonBounce, considered one of the most sophisticated UEFI firmware implants, was revealed this year in January as being used by Winnti, a Chinese-speaking hacker group (also known as APT41).
#CosmicStrand #UEFI #malware #Gigabyte #ASUS #motherboards