The Chinese researchers got to analyzing the implant after a victim reported that their computer had created a new account out of the blue and the antivirus software kept alerting of a malware infection.Īccording to their report, the compromised system ran on a second-hand ASUS motherboard that the owner had purchased from an online store. While the CosmicStrand variant Kaspersky discovered is more recent, researchers at Qihoo360 disclosed in 2017 the first details about an early version of the malware. “This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” Lechtik notes in a tweet on Monday. Mark Lechtik, a former Kaspersky reverse engineer, now at Mandiant, who was involved in the research, explains that the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process.
Overview of CosmicStrand UEFI malware execution The entire process consists of setting up hooks to modify the operating system loader and take control of the entire execution flow to launch the shellcode that fetches the payload from the command and control server. Malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive.Ī report from Kaspersky today provides technical details about CosmicStrand, from the infected UEFI component to deploying a kernel-level implant into a Windows system at every boot.
UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions available. The Unified Extensible Firmware Interface (UEFI) software is what connects a computer’s operating system with the firmware of the underlying hardware. It is unclear how the threat actor managed to inject the rootkit into the firmware images of the target machines but researchers found the malware on machines with ASUS and Gigabyte motherboards. Researchers at cybersecurity company Kaspersky called it CosmicStrand but an earlier variant of the threat was discovered by malware analysts at Qihoo360, who named it Spy Shadow Trojan. Chinese-speaking hackers have been using since at least 2016 malware that lies virtually undetected in the firmware images for some motherboards, one of the most persistent threats commonly known as a UEFI rootkit.
0 kommentar(er)
