.jpeg)
Kaspersky found a firmware rootkit called CosmicStrand that resides in the BIOS of a number of Asus and Gigabyte motherboards released several years ago.
The CosmicStrand is believed to have been created by a Chinese hacker gang, and infiltrated Asus and Gigabyte motherboards with the Intel H81 chip, one of the longest-lived motherboard chips in the Haswell architecture era, and only stopped production in 2020.
This rootkit infiltrates through the rootkit in the UEFI system, which is used in the BIOS, which is activated immediately from the first start of the computer. This is what makes CosmicStrand difficult to eradicate compared to other types of malware.
CosmicStrand cannot be deleted simply by formatting PC storage, because it is stored in the BIOS chip, which is separate from the PC storage. UEFI is basically a simple operating system stored on a non-volatile memory chip that is usually permanently installed on the motherboard.
This means that to delete CosmicStrand, a special tool is needed to erase and overwrite the contents of the chip, and this is done when the PC is turned off. If these conditions are not met, the PC should still be infected by the malware.
So far, Kaspersky has only discovered CosmicStrand operates on Windows systems in countries such as Russia, China, Iran, and Vietnam. However, because infiltrating UEFI has been common since 2016, it is not impossible that the malware infection is actually much bigger.
In 2017, cybersecurity company Qihoo360 discovered malware that was probably an early variant of CosmicStrand. Then many other security researchers found a lot of UEFI malware like MosaicRegressor, FinSpy, Especter, and MoonBounce.
Meanwhile, Kaspersky's newly discovered CosmicStrand is referred to as malware that has the potential to be very dangerous, with a very small file size, less than 100kb.
It's not clear how this malware was able to infiltrate UEFI, but it's clear how it works is relatively simple but terrible. First, it will infect the PC boot process, which then allows it to modify the Windows kernel loader before executing.
From there the malware authors can hijack a function in the Windows kernel called the subsequent boot process. This function then installs the shellcode in memory which can then connect to the malware creator's server to install other malware onto the victim's PC.
CosmicStrand can also turn off kernel protections such as PatchGuard, otherwise known as Microsoft Kernel Patch Protection, which are critical to Windows security.
There are a number of code similarities between CosmicStrand and the MyKings botnet, which is commonly used to install crypto miners on victims' computers.
Researchers at Kaspersky are concerned that CosmicStrand is one of many firmware rootkits that have successfully lurked for years undetected.