Posted on July 28, 2022 at 7:20 PM
A Chinese-speaking hacking group has been discovered using an old malware that lies undetected in the firmware images of several motherboards. Reports from antivirus vendor Kaspersky revealed that the malware has been existing since 2016 and the hackers are using it for one of the most consistent threats called UEFI rootkit.
The malware strain has the capacity of surviving OS reinstalls. It has been actively compromising older motherboards from Gigabyte and ASUS without any detection.
The malware, dubbed CosmicStrand, is built to infiltrate the Unified Extensible Firmware Interface (UEFI) of the motherboard to make it persistent on the Windows system, even when the drive is no longer there.
Kaspersky stated on Monday that it has seen CosmicStrand circulating on Windows systems in Russia, Iran, Vietnam, and China. All the victims were utilizing the vendor’s free antivirus software, which means they were probably private individuals.
CosmicStrand Can Execute Malicious Process When System Boots
The security firm said during its investigation, it discovered that CosmicStrand was found on firmware images for older Gigabyte and Asus motherboards that utilize the H81 chipset. This was first introduced in 2013 but has been discontinued.
By infecting the UEFI of the motherboard, CosmicStrand can execute a malicious process as soon as the PC boots up.
This can lead to the system retrieving a malicious tool from a hacker-controlled server and installing it in the Windows OS.
However, the Kaspersky researchers admitted that they couldn’t get a copy of data from the command and control (C2) server.
The firm also did not see any evidence that the developers of the CosmicStrand were trying to remotely hijack the compromised machine.
The researchers also admitted that they are not sure how the CosmicStrand managed to find its way into victim computers. But they said the malware could have been plated via another malware strain that already exists in the affected machine. It can also enter through hackers that gained physical access to the hardware.
An automated patcher was used to perform the modifications due to the several images the researchers were able to collect. This means that the attackers could have had previous access to the victim’s computer, allowing it to steal, modify, and overwrite the motherboard’s firmware.
Other UEFI Malware Discovered In The Past
CosmicStrand is one of much other UEFI-based malware discovered in the wild. Over the years, the antivirus industry has uncovered several malware strains in the same UEFI family. But while many of them have been discovered and rendered obsolete, CosmicStrand has been hiding its operations for several years.
According to the investigation by Kaspersky, a sample of the malware was sending information to the C2 server that was first seen in December 2016. The researchers also saw another sample sending information to a separate hacker-controlled server in 2020.
Additionally, the researchers stated that the Chinese antivirus vendor Qihoo 360 uncovered an earlier variant of CosmicStrand in 2017, which affected the Asus B85M motherboard.
The initial report by Qihoo noted that the buyer may have received a backdoored motherboard after ordering it from a second-hand reseller. But Kaspersky stated that it was not able to confirm the information.
Chinese Hackers Are Suspects
Kaspersky stated that based on the information available from the investigation, Chinese hackers are suspected to be behind the CosmicStrand malware. The cybersecurity vendor stated that the affected computer code has the same features as other malware linked to Chinese-language hackers.
Kaspersky products normally discover the threat and prevent its proper execution. However, complete software disinfection is not feasible because there is a high risk of completely damaging the user’s system.
It has also been observed that the UEFI code is the first to run during a computer’s booting sequence, even before the security solutions and operating system. The malware delivered in the UEFI firmware image is very difficult to identify and very persistent. The researchers noted that the malware is very stubborn and cannot be removed by replacing the storage drive or reinstalling the operating system.
The only way the infection can be removed completely is for the motherboard’s firmware to be re-flashed. This will require a very careful operation that can be carried out through the BIOS for advanced users. Also, it can be possible through utilities powered by the hardware vendor.
An alternative method of removing the infection is by replacing the motherboard of the system before Windows is reinstalled.