[German]Security researchers from Kaspersky have tracked down a malware that was hidden in the UEFI firmware of various mainboards from ASUS and Gigabyte. The Chinese malware, CosmicStrand, is said to have been undetected in the UEFI of the affected motherboards since at least 2016.
Advertising
Rootkits are malware programs that are loaded at a low level, preferably before the operating system starts, and take control of the system. Their creation involves significant technical challenges, and the slightest programming error can completely crash the victim's computer. But there are developers who have mastered such techniques and are also successful in delivering these rootkits to systems. The advantage of a rootkit is that it remains on the system even if the operating system is reinstalled.
Kaspersky presented such a finding in the blog post CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit dated July 25, 2022. The rootkit is named CosmicStrand and is attributed to an unknown Chinese-language threat actor. Qihoo360, published a blog post (Chinese) in 2017 about an early variant of this malware family.
Gigabyte or ASUS motherboards affected
The security researchers could not figure out how the systems' UEFI firmware was originally infected. There were indications that one case was due to the purchase of a used motherboard, which may have already been infected. Security researchers have obtained various firmware images and suspect that the changes to the UEFI may have been made with an automated patcher. This would require the attacker to access the victim's computer. However, this all remains in the dark.
However, the security researchers' analysis gives clues about the devices that can be infected by CosmicStrand. The rootkit is found in the firmware images of Gigabyte or ASUS motherboards. In this regard, Kaspersky security researchers have noticed that all infections are related to designs that use the H81 chipset. This indicates that there is a common vulnerability that allows attackers to inject their rootkit into the firmware image.
In these infected firmware images, changes were made to the CSMCORE DXE driver, whose entry point was patched to redirect to code added in the .reloc section. This code, which is executed at system startup, triggers a long execution chain that leads to the download and deployment of a malicious component in Windows.
Advertising
Rootkit loader chain, source: Kaspersky
The goal of the execution chain outlined above is to introduce a kernel-level implant into a Windows system. This is supposed to be loaded on every boot via the infected UEFI component. The authors of the UEFI malware have mastered the challenging technical task of loading the infected component before Windows starts and then surviving the operating system boot process.
- The UEFI malware invoked at system startup sets a hook in the boot manager that allows modifying Windows' kernel loader before it is executed.
- By manipulating the operating system loader, the attackers are able to set another hook in a function of the Windows kernel.
- When this function is later called during the normal startup process of the operating system, the malware takes control of the execution process one last time.
- In doing so, it drops a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload for execution on the victim's machine.
The graphic above outlines this flow. The entire execution chain starts with a modified EFI driver. It appears to be a patched version of a legitimate driver called CSMCORE (which is supposed to facilitate booting the machine in legacy mode via the MBR). The details can be found in the Kaspersky post. Kaspersky didn't write what version of Windows the victims' systems are used (it only mentions that the malware looks for Redstone1 as a pattern, so it refers to the first Windows 10 versions) – but my understanding is that the protection mechanisms in current versions of Windows 10 and Windows 11 should prevent exactly this manipulation of the Windows kernel loader. However, I am not sure.
CosmicStrand victims, source: Kaspersky
Kaspersky has published the above map of countries where victims were found. These were found in China, Vietnam, Iran and Russia, and they are all private individuals using a free version of a Kaspersky antivirus solution. One could give the all-clear now, but that is probably too early.
At the moment, there are still many unanswered questions, but the discovery shows that a suspected Chinese actor has managed to infiltrate the UEFI of certain motherboards. Kaspersky states that this UEFI rootkit has been spreading since the end of 2016 without being noticed. This leads to the question: Were the actors able to further develop the rootkit and is something like this on motherboards undetected? (via)
