Buzz
Security experts at Kaspersky Labs have just disclosed information about a firmware rootkit called CosmicStrand, indicating it's the work of hackers from China. Specifically, Kaspersky's experts suggest this rootkit is embedded within the UEFI firmware image of H81 chipsets, found in popular motherboard models produced by Asus and Gigabyte. H81 chipset, in fact, is the longest-standing chipset of Intel's Haswell CPU architecture era, with production only ceasing in 2020.Since UEFI firmware is the first code that executes when a computer is turned on, UEFI rootkits like CosmicStrand are extremely challenging to remove from a computer compared to other types of malware. Moreover, UEFI rootkits are also harder to detect, thereby creating a gateway for hackers to install additional malicious code into the targeted systems.When a chipset is infected with a UEFI rootkit, reinstalling Windows or changing the hard drive won't resolve anything because this rootkit is installed on a soldered static random-access memory chip on the motherboard. This means that the only way to remove CosmicStrand is to use a special tool to flash the data within the mentioned memory chip while the computer is powered off.
According to Kaspersky, only 4 countries have reported computer systems running Windows OS infected with CosmicStrand: Russia, China, Iran, and Vietnam. However, what is concerning is that the UEFI rootkit has been utilized since late 2016, indicating that the use of UEFI rootkits is more widespread and effective than initially assessed. It is worth remembering that ESET back in 2018 was the first entity to detect the existence of this type of malware.
Subsequently, attackers can install other 'hooks' in the form of Windows kernel features, known as the subsequent boot process. This feature runs shellcode in computer memory, automatically contacting the command-and-control server of this malware to download and install other malicious codes into computers infected with CosmicStrand.Despite being just under 100 kB in size, CosmicStrand is capable of disabling PatchGuard, also known as Microsoft Kernel Patch Protection, a highly crucial security feature of Windows. According to Kaspersky, the code structure of CosmicStrand also bears resemblance to the MyKings botnet, which silently installs cryptocurrency mining software onto infected computers.What concerns Kaspersky experts the most is the fact that CosmicStrand remained undetected for 6 years. They believe that “the discovery of these rootkits serves as evidence of a blind spot in the industry that needs to be addressed sooner rather than later.'According to Techspot
