Cybercriminals are now offering a method to hide and execute malicious codes from the GPU. Recently, a post was spotted on a hacker forum where someone advertised a PoC for the same.

What has been discovered

  • The post on a hacker forum provides brief information regarding a method that exploits the GPU memory buffer to store malicious code and execute it from there.
  • According to the seller, the method works on Windows systems with 2.0 and higher versions of the OpenCL framework for running code on multiple processors, along with GPUs.
  • As per claims, actors successfully ran an experiment on graphics cards from Radeon (RX 5700), GeForce (GTX 740M/GTX 1650), and Intel (UHD 620/630).
  • Also, there are some other researchers working at VX-Underground (a threat repository) who claimed that malicious code allows binary execution by the GPU in its memory.

The advertisement offering the method was first spotted on August 8 and two weeks later, the seller had replied that the PoC was sold to a third party.

Earlier GPU-based PoCs

A member of the hacker forum stated that GPU-based malware is not new and had already been seen before. 
  • He mentioned a six-year-old PoC for a Linux-based GPU rootkit, JellyFish
  • Its authors had disclosed multiple PoCs in May 2015 that included a GPU-based remote access trojan and a GPU-based keylogger for Windows. 

To clarify any possible doubts, the seller advertising the recent PoC has denied any possible connection with the JellyFish malware.

Conclusion

With cybercriminals promoting and selling GPU-based malware on hacker forums, a good punch of technical skills or innovative use of this concept may lead to the development of a new deadly threat. The success of such critical projects may lead to further traction in such malware operations. Therefore, vendors of GPUs should be taking note of it and start implementing countermeasures.

Cyware Publisher

Publisher

Cyware