Kaspersky researchers have identified a new rootkit for UEFI firmware, called CosmicStrand, the creation of which is attributed to a Chinese group. First discovered by the Qihoo360 company in 2017, CosmicStrand infects the firmware of Gigabyte or ASUS-branded motherboards equipped with H81 chipsets, which could have a common vulnerability that would allow malicious attackers to inject the rootkit into the firmware image .
The analysis published by the researchers reads:
These firmware images have introduced changes in the CSMCORE DXE driver, whose entry point has been modified to redirect to the code added in the section .reloc. This code, executed during system startup, triggers a long chain of execution leading to the download and distribution of a malicious component within Windows.
By examining the various firmware images we were able to obtain, we believe that the changes may have been made with an automatic patcher. If so, it follows that the attackers had preemptive access to the victim's computer to extract, modify, and overwrite the motherboard firmware.
| slot id: th_hardware_d_mh2 "); }
Analysts added:
CosmicStrand is a sophisticated UEFI firmware rootkit which allows its owners to achieve very long-lasting persistence - the entire life of the computer - while being extremely stealthy at the same time. It appears to have been in use for several years, yet many mysteries remain.
How many other C2 systems and servers could we still miss? What last-stage payloads are delivered to the victims? Is it possible that CosmicStrand has reached some of its victims through the "interdiction" of packages? In any case, the multiple rootkits discovered so far highlight a blind spot in our industry that needs to be addressed as soon as possible.
The analysis published by the researchers reads:
These firmware images have introduced changes in the CSMCORE DXE driver, whose entry point has been modified to redirect to the code added in the section .reloc. This code, executed during system startup, triggers a long chain of execution leading to the download and distribution of a malicious component within Windows.
By examining the various firmware images we were able to obtain, we believe that the changes may have been made with an automatic patcher. If so, it follows that the attackers had preemptive access to the victim's computer to extract, modify, and overwrite the motherboard firmware.
| slot id: th_hardware_d_mh2 "); }
Analysts added:
CosmicStrand is a sophisticated UEFI firmware rootkit which allows its owners to achieve very long-lasting persistence - the entire life of the computer - while being extremely stealthy at the same time. It appears to have been in use for several years, yet many mysteries remain.
How many other C2 systems and servers could we still miss? What last-stage payloads are delivered to the victims? Is it possible that CosmicStrand has reached some of its victims through the "interdiction" of packages? In any case, the multiple rootkits discovered so far highlight a blind spot in our industry that needs to be addressed as soon as possible.