Researchers named this CosmicStrand, where the earliest variant of this was documented by Chinese researchers. While it’s unclear how the threat actor is injecting his malware into these motherboards, warned it is highly persistent and mostly goes undetected.
A Hard to Remove Issue
To beginners, a Unified Extensible Firmware Interface (UEFI) is software that connects the system OS with the device’s hardware. It’s the first one to load when you turn on your computer, followed by the system OS and antivirus software. And it’s deep and crucial; threat actors target it to gain multiple types of access to the target’s machine. And we see a new one coming from Chinese threat actors – named as CosmicStrand by Kaspersky researchers. Found in ASUS and Gigabyte motherboards, researchers noted that it’s highly persistent and undetectable, since running first and boots every time. While it’s unknown how the threat actors are able to infect the motherboards, they detailed on now it’ll work to gain kernel-level privileges. Researchers noted that CosmicStrand could allow threat actors to gain root-level access, and perform any malicious activity with admin-level powers. Most of its activity is about trying to modify the system OS to take control of the entire execution flow so as to launch the shellcode, which in return brings a payload from the hacker’s C2. While they said the infected motherboards are from ASUS and Gigabyte (since using the H81 chipset), only the old hardware supplied between 2013 to 2015 was affected. They linked the threat actor to a Chinese group, considering the code patterns matching with MyKings crypto mining botnet. Also, an early variant of the same UEFI rootkit was detailed by Qihoo360, Chinese malware specialists who named it Spy Shadow Trojan. And the targets of this infection mostly include private individuals in China, Iran, Vietnam, and Russia.