The analysis published by the researchers reads:
These firmware images have introduced changes in the CSMCORE DXE driver, whose entry point has been modified to redirect to the code added in the section .reloc. This code, executed during system startup, triggers a long chain of execution leading to the download and distribution of a malicious component within Windows.
By examining the various firmware images we were able to obtain, we believe that the changes may have been made with an automatic patcher. If so, it follows that the attackers had preemptive access to the victim's computer to extract, modify, and overwrite the motherboard firmware.
| slot id: th_hardware_d_mh2 "); }
Analysts added:
CosmicStrand is a sophisticated UEFI firmware rootkit which allows its owners to achieve very long-lasting persistence - the entire life of the computer - while being extremely stealthy at the same time. It appears to have been in use for several years, yet many mysteries remain.
How many other C2 systems and servers could we still miss? What last-stage payloads are delivered to the victims? Is it possible that CosmicStrand has reached some of its victims through the "interdiction" of packages? In any case, the multiple rootkits discovered so far highlight a blind spot in our industry that needs to be addressed as soon as possible.