In the context of: ESET Security Company Discover The first UEFI root kit that was used in the wild in 2018. This type of persistent threat has been the subject of theoretical discussions among security researchers, but over the past years it has become clear that it is more common than previously thought, although it is relatively difficult to develop. .
This week, Kaspersky researchers open A new rootkit dubbed “CosmicStrand”, which is believed to be the work of an unknown group of Chinese malicious actors.
The researchers explain that a rootkit has been detected in firmware images of many Asus and Gigabyte motherboards equipped with the Intel H81 chipset, one of the longest running chips of the Haswell era that was finally discontinued in 2020.
Since the UEFI firmware is the first piece of code to run when the computer is turned on, this makes CosmicStrand particularly difficult to remove compared to other types of malware. It is also difficult to detect firmware rootkits and pave the way for hackers to install additional malware on a target system.
Simply clearing your computer’s storage space will not remove the infection, nor will your storage devices be completely replaced. UEFI is basically a small operating system that lives inside a non-volatile memory chip, usually soldered to the motherboard. This means that removing CosmicStrand requires special tools to reshoot the flash chip while the computer is turned off. Anything else that would leave your computer in an infected state.
So far, it seems that Windows systems have only been hacked in countries like Russia, China, Iran, and Vietnam. However, the UEFI implant has been used in the wild since late 2016, raising the possibility that this type of infection may be more common than previously assumed.
Back in 2017, Qihoo360 الأمن Security Company Discover What would have been an early replacement for CosmicStrand. In recent years, researchers have found additional UEFI rootkits such as MosaicRegressor, FinSpyand Especter and Moonbounce.
For CosmicStrand, it is a very powerful malware of less than 100KB in size. Not much is known about how it reaches the target systems, but the way it works is simple. First, it infects the boot process by setting so-called “hooks” at certain points in the execution flow, thus adding the functionality an attacker would need to modify the Windows kernel loader before executing it.
From there, attackers can install another hook in the form of a function in the Windows kernel that is called on a subsequent boot process. This function deploys shellcode in memory that can connect to a command and control server and download additional malware to the infected computer.
CosmicStrand can also disable kernel protection such as PatchGuard (otherwise known as Microsoft Kernel Patch Protection), which is an important Windows security feature. There are also some similarities in terms of code patterns between CosmicStrand and malware related to MyKings bottomedwhich were used to spread cryptominers on victims’ computers.
Kaspersky researchers are concerned that CosmicStrand is one of many firmware root kits that have managed to stay hidden for years. They noted, “The multiple rootkits discovered so far are evidence of a blind spot in our industry that needs to be addressed sooner rather than later.”
#years #Gigabyte #Asus #motherboards #carrying #UEFI #malware #TechSpot