Categories: CyberCrimeSecurity

Stealthy CosmicStrand Rootkit Infects PC Firmware

Security researchers have uncovered a stealthy rootkit that infects computers’ firmware and has been in use, undetected, since as far back as the end of 2016.

The CosmicStrand rootkit was uncovered in computers’ UEFI (Unified Extensible Firmware Interface), a software interface that resides on a chip separate from the rest of the system and links the operating system and the platform firmware, according to Moscow-based security firm Kaspersky Lab.

As such it can remain on the computer for the life of the system, no matter how many times the operating system is rebooted, and is highly difficult to detect.

Areas where CosmicStrand attacks have been detected. Image credit: Kaspersky Lab

Firmware compromise

CosmicStrand has been mainly used to attack private individuals in China – as distinct from organisations – as well as a few attacks in Vietnam, Iran and Russia.

“All the victims in our user base appear to be private individuals,” Kaspersky said in an advisory. “We were unable to tie them to any organisation or even industry vertical.”

Kaspersky said it was unable to discover how the attackers infected systems initially, but it said unconfirmed reports sugested users had received compromised devices when ordering hardware components online.

“The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset,” the firm said.

Code overlap between MyKings and CosmicStrand. Image credit: Kaspersky Lab

Common vulnerability

“This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image.”

Many details about CosmicStrand remain unknown, including its ultimate purpose.

Kaspersky said the CosmicStrand file within the UEFI, a mere 96.84KB, initiates a sequence that modifies Windows during boot and eventually downloads further code from a command server.

It said more implants and command servers could have remained undetected until now, while the last-stage payloads being delivered to targets also remains unknown.

China-based attackers

CosmicStrand is the second UEFI rootkit strain to be discovered this year after MoonBounce in January, which researchers believe was deployed as part of a targeted espionage campaign by the China-linked advanced persistent threat group APT41, also known as Winnti.

“The multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later,” Kaspersky said.

The firm said code overlaps between CosmicStrand, MoonBounce and the MyKings botnet indicate CosmicStrand could, like the other two malware strains, have been developed by Chinese-speaking attackers.

Sophistication

It noted that versions of CosmicStrand appear to have been in use since the end of 2016, long before UEFI attacks were first publicly described, emphasising the malware’s sophistication.

Kaspersky advised users to deploy security software and regularly update UEFI firmware.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago