Kaspersky researchers detailed a new variant of UEFI rootkit – named as CosmicStrand that’s found in ASUS and Gigabyte motherboards. They noted that it’s hard to detect and highly persistent considering the UEFI properties.
Researchers linked the threat actor behind this to a Chinese group who are targeting individuals in China, Russia, Vietnam, and Iran. With this infection, hackers gain kernel-level access to the target machine, warns researchers.
UEFI Rootkit in Motherboards
Since late 2016, an unknown hacker group has been targeting private individuals in China, Russia, Vietnam, and Iran with a UEFI rootkit. This was noted by researchers at Kaspersky, who named it CosmicStrand.
An early variant of this was documented by Qihoo360, to whom a victim approached with complaints of the system, adding a new login account out of the blue and constant security triggers. They named it the Spy Shadow Trojan, and said to be found in ASUS and Gigabyte motherboards, sold between 2013 to 2015.
Hackers infect these motherboards with CosmicStrand to gain kernel-level privileges, so as to perform other malicious operations. How the threat actor is able to infect them in the first place is unknown, but they aim to modify the system OS with this rootkit to take control of the entire execution flow.
This allows them to launch a shellcode that fetches any malicious payload of the hacker’s C2 as desired. All the compromised motherboards will have a modified driver as CSMCORE DXE in their firmware images, which enables a legacy boot process.
And since the UEFI is a critical part of any device, it can’t be removed to have the system go safe. It’s the software that connects device hardware to system OS and needs to run before anything else.
Researchers linked this operation to a Chinese-speaking threat actor, considering the code patterns matching with that of MyKings crypto mining botnet, as the Sophos team detected.
Other Trending News:- News