A mysterious UEFI malware was found in Asus and Gigabyte motherboards

Sophisticated malware has been discovered that is able to settle in the lower levels of computers . This is possible by making direct use of the motherboard firmware, and has been claiming victims since 2020. The rootkit, dubbed CosmicStrand by Kaspersky Lab researchers, is invisible and highly persistent as its code is undermined deep in the UEFI firmware , and consequently it is outside the scope of most security programs.

Malware that cannot be detected

In fact, CosmicStrand is not entirely new . The rootkit appeared earlier in 2016, and was spotted until 2017, when it was actually documented by researchers from Chinese cybersecurity firm Qihoo360 for the first time. It then seemed to have disappeared from the radar until recently, when Kaspersky Lab researchers again detected new variants and victims in China, Vietnam, Iran and Russia .

In a report published by the researchers:

"Based on our analysis of the infrastructure used for the two variants, we estimate that the older one was used between the end of 2016 and mid-2017 and the current one was active in 2020",

Both variants were found in the firmware images of Gigabyte and ASUS motherboards , particularly those based on the Intel H81 chipset, suggesting that there is a potentially exploitable vulnerability in the UEFI builds used by those motherboards. However, the researchers weren't able to actually find out how this happened .

If a vulnerability is confirmed to exist, its exploitation is likely to require local access to the computer . Injecting the malware into the firmware could be through for example another malware program running within the operating system which would overwrite or update UEFI. The presence of such a vulnerability in the firmware would not be entirely unexpected: considering the age of the affected motherboards (the H81 chipset was launched in late 2013 and supports Intel 4th generation Haswell CPUs), over the years Many vulnerabilities have been discovered in UEFI implementations from different vendors . Another possibility to implement the CosmicStrand rootkit, mentioned by Qihoo360 in 2017, is rather curious: it would see the (physical) modification of products somewhere in the supply chain, both in the factory and later at a distributor or seller.

CosmicStrand deserves all this attention because of its nature. As part of the UEFI firmware, it survives reboots of the operating system and even reinstallations or replacements of the boot disk . The purpose of the rootkit is to inject malicious code into the Windows kernel during the operating system boot process. The aim is therefore to listen and receive different payloads from a C&C (Command & Control) server. The payload consists of packets containing 528 bytes of data, which are then placed and grafted into the kernel to be executed.

Credits: securelist.com

However, the rootkit does not go into action immediately. Once it is established to run in the Windows kernel, the CosmicStrand code waits 10 minutes for other Windows components to start, then checks the computer's Internet connectivity. Internet communication does not take place using the Windows API but it does so using its own drivers and therefore speaking directly with the network interface . This allows it not to be monitored by the security products that examine the data transfer.

"The most surprising aspect of this malware is that this UEFI rootkit appears to have been in use in the wild since late 2016, long before the UEFI attacks began to be publicly described," said the researchers. “This discovery begs a final question: If this is what the attackers were using then, what are they using today? The multiple rootkits discovered so far highlight a blind spot in our sector that needs to be addressed as soon as possible ”.

The article A mysterious UEFI malware was found in Asus and Gigabyte motherboards was written on: Tech CuE | Close-up Engineering .