The renowned security company Kaspersky published an alert earlier this week about a powerful virus. The malware in question is of the type rootkit, that is, one of the most powerful. He is known as CosmicStrand and was found on motherboards from ASUS and Gigabyte.
Malware Grandoreiro arrives on fake Vivo invoice and steals bank details
What was the world’s first antivirus?
What is a rootkit?
First of all, I need to clarify what a rootkit. This is a very difficult type of virus to detect and remove. That’s because it installs itself in “well-hidden” locations of the operating system. But in some cases the malware installs itself on the firmware of the machine. So it is virtually impossible for antivirus software to detect a rootkit.
In the case of CosmicStrand, it installs itself in motherboard firmware. Therefore, we can say that this virus is a “UEFI rootkit”.
UEFI (Unified Extensible Firmware Interface), in turn, is the replacement for the old computer BIOS. Translated into simpler terms, it is as if it were the program that will act as an intermediary between the hardware of the machine and the operating system. Because of this, UEFI loads and runs before Windows as soon as you turn on your computer.
If a virus installs itself on UEFI, it also activates as soon as you turn on your PC. Because of this it is very difficult to detect and remove a UEFI rootkit.
How does the CosmicStrand rootkit work?
As disclosed by Kaspersky, the CosmicStrand malware has been active since 2020. By infecting a motherboard firmware, it changes the computer boot process execution streams. Because of this, the virus gains access to important areas of the Windows kernel. The kernel is the core of the operating system and the most important part of it.
It was found that when turning on the computer, CosmicStrand loads malicious code into Windows. Unfortunately, Kaspersky researchers were unable to figure out what this malicious code does. But in theory it could be anything. For example, stealing sensitive data, downloading and running malicious programs, and even using the machine in DDoS attacks.
However, the researchers suspect that the CosmicStrand is linked to the Chinese group that controls cryptocurrency mining botnets. Therefore, computers infected with this rootkit could be used to mine cryptocurrencies without their owners knowing.
Which computers are affected?
the rootkit CosmicStrand affects motherboards with chipset Intel H81. This is a very popular chipset in the past, but it hasn’t been used for a few years on newer machines. The Intel H81 was released in 2013 and designed to work with the processors Intel’s fourth generation (Haswell)
So if your desktop or notebook is recent, there’s nothing to worry about. Anyway, just find out what your motherboard chipset is. If it’s anything other than the Intel H81, you’re CosmicStrand free. There are no reports that other chipsets have been contaminated.
So far, motherboards from ASUS and Gigabyte have been found infected with the rootkit.
CosmicStrand is the evolution of older malware
The CosmicStrand rootkit has been around since 2020 and was discovered by Kaspersky, who named the threat. However, this virus is believed to be a new version of the Spy Shadow Trojan. This malware, in turn, was discovered in 2017 by the Chinese security company Qihoo 360. However, the Spy Shadow Trojan started its activities in 2016.
The servers that command the two malwares are the same. Therefore, CosmicStrand is believed to be nothing more than an updated (and more dangerous) version of the Spy Shadow Trojan.
Another intriguing factor is that servers spend long periods down. They are only activated at specific times. This strategy makes sense when we remember that the rootkit is a virus that is difficult to detect and remove. Therefore, even if long periods pass, the servers will still be able to command the virus.
Even if the machine is formatted the rootkit is still there as it is installed in the firmware. The only way to get rid of the plague is by updating or reinstalling the firmware. Something few people bother to do.
The question that everybody wants to hear
How does CosmicStrand infect motherboards? Modifying UEFI firmware necessarily requires physical access to the machine. So it is not possible to spread this rootkit remotely.
Contaminated motherboards have been found in China, Iran, Russia and Vietnam. We still don’t know precisely how these motherboards got infected, but the Qihoo 360 has a hunch. The company believes that ASUS and Gigabyte motherboards were infected in a second-hand motherboard dealership. However, there is no evidence to support this hypothesis.
Sources: Kaspersky via Ars Technica