Since at least 2016, hackers have been utilizing a UEFI rootkit buried virtually undetectable in the firmware images of several mainboards. The virus, called CosmicStrand has now been discovered on Asus motherboards and Gigabyte motherboard firmware.
The benefit of utilizing a UEFI rootkit is that the UEFI code is already executing when the machine boots. As a consequence, because the operating system's security features have not yet been loaded, they do not even come into action. It's also proving tough to pinpoint afflicted machines. Of course, reinstalling the operating system or replacing the storage drive does not help at this point.
Kaspersky Lab has released further technical information regarding CosmicStrand. The virus, according to the researchers, customizes the operating system's loader and takes complete control. A command and control server is then used to reload further malware. The corrupted firmware images, according to Mark Lechtik, were provided with a modified CSMCORE DXE driver that supports a legacy boot procedure. " This driver has been tampered with in order to intercept the boot routine and insert malicious logic."
The CosmicStrand UEFI rootkit was discovered in firmware images of Gigabyte or Asus motherboards with a H81 chipset, according to Kaspersky. This is hardware from 2013 to 2015, the majority of which has already been discontinued. Physical access is necessary to install the virus on the affected boards, or a prior version of the malware must be present on the system. This enables the corrupted firmware image to be automatically patched.
Based on the assessed PCs of the victims, the Russian security firm was unable to make any clear conclusions regarding the threat actor. The systems came from private individuals in China, Iran, Vietnam and Russia. There were no resemblances. A connection to the MyKings cryptomining botnet can only be assumed based on code samples. Sophos malware experts discovered artifacts here that point to Chinese hackers.
Older Asus and Gigabyte H81 Mobo Firmwares infected with malware?
