Kaspersky researchers discovered CosmicStrand, a new variant of UEFI rootkit popular among Chinese-speaking hackers. Threat actors have been using such malware since at least 2016 to target victims in China, Vietnam, Iran, and Russia.
 

What was found?

CosmicStrand has been found on machines with ASUS and Gigabyte motherboards, however, researchers were unsure how the attackers gained access to the targeted machines in the first place.
 

The infection procedure

CosmicStrand has a lengthy, intricate execution chain to infect Windows machines with a kernel-mode implant while remaining undetected and persist in a system as long as feasible.
  • The UEFI software interfaces between the operating system of a computer and firmware that provides low-level control over the specific hardware of a device.
  • The UEFI code is the first to run during a computer's boot sequence, preceding the operating system and any available security solutions.
  • If malware is injected into the UEFI firmware image, reinstalling the operating system or replacing the storage drive makes it very difficult to identify and even remove it.
 

Conclusion

UEFI rootkits are uncommon and only appear in highly targeted attacks. This type of malware is specifically designed to infect computers at the most basic level and ensures that a computer remains infected even if the operating system is reinstalled or the user replaces the machine's hard drive entirely. CosmicStrand is also the second UEFI rootkit strain discovered this year, following MoonBounce in January 2022.
Cyware Publisher

Publisher

Cyware