Sophisticated Malware Discovered on Asus and Gigabyte Motherboards

At best deals,
no tail tied

The malware universe is fascinating (and worrisome) because threats can even come from unlikely places. This week, the Kaspersky alerted to a sophisticated rootkit that kicks in before the operating system loads. called CosmicStrandthe malware was found on PCs with Asus and Gigabyte motherboards.

Motherboard (image: Laurel L. Russwurm/Pixabay)
Motherboard (image: Laurel L. Russwurm/Pixabay)

The plague does not explore any new means to contaminate the machine, but takes an unusual path. Instead of directly contaminating Windows (or another operating system), CosmicStrand lodges itself in the motherboard firmware — we’re talking about a UEFI rootkit.

A rootkit is malware that is difficult to detect and remove. That’s because the threat installs itself in the “deep” of the operating system or, as is the case here, hides inside a firmware.

UEFI (Unified Extensible Firmware Interface) is a kind of intermediary between the operating system and the computer’s hardware, which is why it runs as soon as the machine is turned on.

If the rootkit is “glued” to the UEFI, the malware also runs as soon as the PC is turned on. That’s where the problems start.

The CosmicStrand rootkit

According to Kaspersky, CosmicStrand has been active since at least 2020 and has been found on motherboards with Intel H81 chipset. This is a relatively old chipset, after all, it was announced in 2013 to work with fourth-generation Intel processors (Haswell).

This means that if your PC is based on a newer processor or has a chipset other than the Intel H81, it is not subject to CosmicStrand actions. Well, at least there’s no sign, so far, that other chipsets have been compromised. So, no panic.

But on vulnerable machines, the problem deserves attention. The rootkit is able to modify the boot process execution streams and access specific features of the Windows kernel.

Theoretically, this approach gives rise to a series of malicious actions, ranging from capturing sensitive data to executing malicious software.

Kaspersky researchers reveal that CosmicStrand causes Windows to load malicious code. They were unable to gain access to this software payload. But the suspicion is that it is a tool linked to a Chinese group that controls the cryptocurrency mining botnet MyKings.

Based on this, we can assume that the machines affected by CosmicStrand were used to mine cryptocurrency. But other malicious actions are not ruled out.

Malware in action since 2016

The name CosmicStrand was assigned to the rootkit by Kaspersky, but there are indications that the malware is a version of the Spy Shadow Trojan, a pest identified by the Chinese Qihoo 360 in 2017, but which has been in operation since at least 2016.

There are also indications that the servers that handle the malware — for the sake of convenience, let’s treat the CosmicStrand and the Spy Shadow Trojan as one — have been down for long periods. This finding raises the hypothesis that the rootkit was triggered at specific times, perhaps for different purposes.

Triggering at specific times makes sense considering that CosmicStrand is a persistent threat. It cannot be removed easily from the computer. As the malware resides in the firmware, even formatting the machine does not solve the problem.

Updating or reinstalling the firmware is the most logical way out. But this only makes sense if the rootkit is detected. This is not an easy task, however. CosmicStrand adopts some strategies that make it difficult for security tools to detect it.

Countries where CosmicStrand was found (image: Securylist/Kaspersky)
Countries where CosmicStrand was found (image: Securylist/Kaspersky)

One question researchers have not yet been able to answer is: how does CosmicStrand infect a computer? It is a very pertinent question. Contaminated PCs have been identified in China, Vietnam, Iran and Russia, which suggests viral action. On the other hand, as a rule, handling a UEFI firmware requires physical access to the machine.

One possibility raised by Qihoo 360 is that the compromised drives have been contaminated by a resale of second-hand motherboards. But there is no evidence that this happened.

In any case, the case serves as a warning. The industry needs to look more closely at security issues involving UEFI and firmware as a whole.

With information: Ars Technica.

Source link

About Admin

Check Also

Twitter: Elon Musk changes name to Mr. Tweet and can’t revert

Elon Musk, CEO of Twitter, changed his display name on the social network to “Mr. …

Leave a Reply

Your email address will not be published. Required fields are marked *