Researchers have discovered a new variant of a UEFI rootkit that has been in existence since at least 2016 and has been used to target individual victims in several countries, including China, Russia, and Iran. The malware has only been found on machines that have motherboards with the Intel H81 chipset, and researchers are not certain how attackers were able to gain access to the targeted machines initially.
The newly discovered rootkit is known as CosmicStrand and it has a long, complex execution chain whose ultimate goal is to drop a kernel-mode implant on Windows machines and stay hidden and persistent for as long as possible. CosmicStrand was discovered in some firmware images for ASUS and Gigabyte motherboards, but researchers at Kaspersky who discovered the rootkit were unsure how it got into the firmware in the first place, but posited that a common vulnerability may be the culprit.
“In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows,” the Kaspersky analysis says.
“Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access.”
Researchers at Qihoo360 in China discovered earlier versions of this malware family five years ago.
UEFI rootkits are quite rare and typically have been seen in highly targeted attacks. This type of malware is designed specifically to infect computers at the lowest level and to enable an attacker to maintain persistence, even through reboots and OS reinstalls. The UEFI (unified extensible firmware interface) connects the firmware to the operating system, and performs many of the same functions as the older BIOS systems. Targeting the UEFI firmware can give an attacker a tremendous advantage, but it is also a difficult trick to pull off.
“UEFI malware authors face a unique technical challenge: their implant starts running so early in the boot process that the operating system (in this case Windows) is not even loaded in memory yet – and by the time it is, the UEFI execution context will have terminated. Finding a way to pass down malicious code all the way through the various startup phases is the main task that the rootkit accomplishes,” the Kaspersky analysis says.
CosmicStrand gets its kernel shellcode payload from one of two C2 servers and the payload arrives in several separate chunks, which are then reassembled into bytes that are mapped to kernel space. The researchers were not able to retrieve the payload delivered by the C2 servers.
“We did, however, find a user-mode sample in-memory on one of the infected machines we could study, and believe it is linked with CosmicStrand. This sample is an executable that runs command lines in order to create a user (“aaaabbbb”) on the victim’s machine and add it to the local administrators group,” the researchers said.
Kaspersky did not specify the number of victims targeted with CosmicStrand, but said they all appeared to be private citizens and are located in China, Iran, Vietnam, and Russia.The researchers said the malware likely was developed by a Chinese-speaking actor and identified several similarities between CosmicStrand and the MyKings botnet malware, including some identical code.
Earlier this year, Kasperksy identified anoother UEFI rootkit called MoonBounce that was used against one known victim.