In context: Security agency ESET found the primary UEFI rootkit that had been used within the wild again in 2018. This sort of persistent menace was once the topic of theoretical discussions amongst safety researchers, however over the previous years, it is grow to be clear that it is much more widespread than beforehand thought, regardless of being comparatively arduous to develop.
This week, Kaspersky researchers revealed a brand new firmware rootkit dubbed “CosmicStrand,” which is believed to be the work of an unknown group of Chinese malicious actors.
Researchers clarify that the rootkit was found in firmware photos of a number of Asus and Gigabyte motherboards geared up with an Intel H81 chipset, one of many longest-living Haswell-era chipsets that was lastly discontinued in 2020.
Since UEFI firmware is the primary piece of code that runs whenever you flip a pc on, this makes CosmicStrand significantly arduous to take away in comparison with different forms of malware. Firmware rootkits are additionally tougher to detect and pave the way in which for hackers to put in extra malware on a goal system.
Simply wiping the storage in your PC will not take away the an infection, and neither will changing storage units altogether. UEFI is actually a small working system that lives inside a non-volatile reminiscence chip, often soldered on the motherboard. This implies that eradicating CosmicStrand requires particular instruments to reimage the flash chip whereas the PC is powered off. Anything else would depart your laptop in an contaminated state.
So far, it seems solely Windows methods in nations like Russia, China, Iran, and Vietnam have been compromised. However, the UEFI implant has been used within the wild since late 2016, which raises the chance that any such an infection is extra widespread than beforehand assumed.
Back in 2017, safety agency Qihoo360 found what may have been an early variant of CosmicStrand. In newer years, researchers discovered extra UEFI rootkits akin to MosaicRegressor, FinSpy, ESpecter, and MoonBounce.
As for CosmicStrand, it is a very potent malware that is lower than 100 kilobytes in dimension. Not a lot is thought about the way it ended up on the goal methods, however the way in which it really works is easy. First, it infects the boot course of by setting so-called “hooks” into sure factors of the execution circulate, thus including the performance the attacker wants to change the Windows kernel loader earlier than it’s executed.
From there, the attackers can set up one other hook within the type of a operate within the Windows kernel that is known as in a subsequent boot course of. This operate deploys a shellcode in reminiscence that may contact a command-and-control server and obtain extra malware on the contaminated PC.
CosmicStrand may also disable kernel protections like PatchGuard (referred to as Microsoft Kernel Patch Protection), which is a vital Windows safety function. There are additionally some similarities when it comes to code patterns between CosmicStrand and malware associated to the MyKings botnet, which has been used to deploy cryptominers on victims’ computer systems.
Kaspersky researchers are frightened that CosmicStrand could also be one among many firmware rootkits which have managed to remain hidden for years. They word that “the a number of rootkits found to date proof a blind spot in our trade that must be addressed sooner quite than later.”