After bringing the MoonBounce malware to light earlier this year, antivirus maker Kaspersky’s security threat research team discovered another rootkit, software implanted in a computer that can give attackers administrator access, called “CosmicStrand”. The latter would not be new, since it would be a evolution of an earlier malware called Spy Shadow Trojan which was discovered as early as 2016. Researchers found the CosmicStrand malware in the firmware of Asus and Gigabyte motherboards.

The infected motherboards Kaspersky examined all ran on Intel’s H81 chipset, suggesting “the existence of a common vulnerability that allowed attackers to inject their rootkit into the firmware image.” As a reminder, Intel discontinued the chipset in 2020 after introducing it in mid-2013.

MALWARE IS Stubborn, CAN SURVIVE DISK FORMAT

Kaspersky Says ComicStrand Delivers Kernel-Level Implant in Microsoft Windows System every time the computer startsbecause hackers have changed the interface between Windows and the boot firmware, an interface known as the Unified Extensible Firmware Interface. UEFI replaced the older BIOS (Basic Input/Output System) firmware interface.

This resides in a flash memory chip, soldered to the motherboard of a computer. It is the first software to run when a system boots, allowing it to access and control all hardware components, as well as various parts of the machine’s operating system. As UEFI is inside a memory chip, malware injected into it can survive reboots, formatting and reinstallations of operating systemsallowing threat actors to maintain their presence on compromised machines.

CosmicStrand victims appear to be individuals from China, Vietnam, Iran and Russia. According to Kaspersky, CosmicStrand is used by an unknown Chinese-speaking threat actor. It shares code characteristics with the malware known as MyKings used to infect servers with cryptocurrency mining software.

For years, some Gigabyte and Asus motherboards carried UEFI malware

Security firm ESET discovered the first UEFI rootkit which was used in the wild in 2018. This type of persistent threat used to be discussed theoretically among security researchers, but in recent years it has become clear that it is much more common than previously thought, although it is relatively difficult to develop.

This week, Kaspersky researchers revealed a new firmware rootkit dubbed “CosmicStrand,” believed to be the work of an unknown group of Chinese malicious actors.

The researchers explain that the rootkit was discovered in firmware images of several Asus and Gigabyte motherboards equipped with an Intel H81 chipset, one of the oldest Haswell-era chipsets that was finally discontinued in 2020.

Since UEFI firmware is the first piece of code that runs when you turn on a computer, this makes CosmicStrand particularly difficult to remove compared to other types of malware. Firmware rootkits are also harder to detect and allow hackers to install additional malware on a target system.

Simply clearing your PC’s storage will not remove the infection, and neither will replacing storage devices. UEFI is essentially a small operating system that lives inside a non-volatile memory chip, usually soldered onto the motherboard. This means that CosmicStrand removal requires special tools to reimage the flash chip when the PC is turned off. Anything else would leave your computer in an infected state.

So far, it seems that only Windows systems from countries like Russia, China, Iran, and Vietnam have been compromised. However, the UEFI implant has been in use in the wild since late 2016, raising the possibility that this type of infection is more common than previously thought.

In 2017, security firm Qihoo360 discovered what might have been an early variant of CosmicStrand. In recent years, researchers have discovered other UEFI rootkits such as MosaicRegressor, FinSpy, ESpecter, and Moonbounce.

As for CosmicStrand, it is a very powerful malware with a size of less than 100 kilobytes. Not much is known about how it ended up on target systems, but how it works is simple. First, it infects the boot process by setting so-called “hooks” at certain points in the execution flow, thereby adding the functionality the attacker needs to modify the Windows kernel loader before it is executed.

From there, attackers can install another hook as a function in the Windows kernel which is called during a later boot process. This feature deploys in-memory shellcode that can contact a command and control server and download additional malware to the infected PC.

CosmicStrand can also disable kernel protections like PatchGuard (known as Microsoft Kernel Patch Protection), which is a crucial Windows security feature. There are also code pattern similarities between CosmicStrand and malware related to the MyKings botnet which was used to deploy cryptominers to victims’ computers.

Kaspersky researchers fear that CosmicStrand is one of many firmware rootkits that have managed to remain hidden for years. They note that “the multiple rootkits discovered so far demonstrate a blind spot in our industry that needs to be addressed as soon as possible.”

Categorized in: