Kaspersky researchers have detailed a new variant of UEFI rootkit thatโ€™s available in the ASUS and Gigabyte motherboards from 2013 to 2015 and is capable of deploying kernel-level implants into victimโ€™s systems.

Researchers named this CosmicStrand, where the earliest variant of this was documented by Chinese researchers. While itโ€™s unclear how the threat actor is injecting his malware into these motherboards, warned it is highly persistent and mostly goes undetected.

A Hard to Remove Issue

To beginners, a Unified Extensible Firmware Interface (UEFI) is software that connects the system OS with the deviceโ€™s hardware. Itโ€™s the first one to load when you turn on your computer, followed by the system OS and antivirus software.

And itโ€™s deep and crucial; threat actors target it to gain multiple types of access to the targetโ€™s machine. And we see a new one coming from Chinese threat actors โ€“ named as CosmicStrand by Kaspersky researchers.

Found in ASUS and Gigabyte motherboards, researchers noted that itโ€™s highly persistent and undetectable, since running first and boots every time. While itโ€™s unknown how the threat actors are able to infect the motherboards, they detailed on now itโ€™ll work to gain kernel-level privileges.

Researchers noted that CosmicStrand could allow threat actors to gain root-level access, and perform any malicious activity with admin-level powers. Most of its activity is about trying to modify the system OS to take control of the entire execution flow so as to launch the shellcode, which in return brings a payload from the hackerโ€™s C2.

While they said the infected motherboards are from ASUS and Gigabyte (since using the H81 chipset), only the old hardware supplied between 2013 to 2015 was affected. They linked the threat actor to a Chinese group, considering the code patterns matching with MyKings crypto mining botnet.

Also, an early variant of the same UEFI rootkit was detailed by Qihoo360, Chinese malware specialists who named it Spy Shadow Trojan. And the targets of this infection mostly include private individuals in China, Iran, Vietnam, and Russia.

LEAVE A REPLY

Please enter your comment!
Please enter your name here