The security threat research team of antivirus maker Kaspersky has discovered a malware called “CosmicStrand”. The malware, in fact, is not new, as an older variant of this so-called “Spy Shadow Trojan” has been around since 2016-17.

CosmicStrand is a UEFI rootkit found in infected Asus and Gigabyte firmwares and as such is what we call an Advanced Persistent Threat (APT) as it is difficult to get rid of. No amount of Windows reinstalls will be able to remove a UEFI rootkit like this.

Speaking of Windows, Kaspersky discovered that so far, only Windows systems have been attacked and compromised:

All of the attacked machines were Windows-based: every time a computer rebooted, a bit of malicious code was executed after Windows started. Its purpose was to connect to a C2 (command and control) server and download an additional malicious executable.

The anti-malware vendor has described in their detailed Securelist article how threat actors go through this entire C2 connection process to deliver the malicious payload at boot time:

The workflow consists of setting hooks in succession, allowing the malicious code to persist until the operating system has started. The steps involved are:

• The initial infected firmware boots the entire chain.
• The malware sets up a malicious hook in the boot manager, allowing it to modify the Windows kernel loader before it is executed.
• By altering the operating system loader, attackers can set another hook into a Windows kernel function.
• When that function is called later during the normal startup procedure of the operating system, the malware takes control of the execution flow for the last time.
• It deploys shellcode in memory and communicates with the C2 server to retrieve the actual malicious payload for execution on the victim’s machine.

However, Kaspersky cannot determine how the infections were carried out in the first place. Some users have reported that the second-hand motherboards they ordered online were already infected when they received them:

The researchers were unable to determine how the rootkit ended up on the infected machines in the first place, but unconfirmed accounts discovered online indicate that some users received compromised devices while ordering hardware components online.

For users of Gigabyte and Asus motherboards running Windows, enabling Secure Boot may be a viable option to avoid any harmful effects. Of course, the best thing to do is probably to flash your BIOS again, but be sure to download the firmware from the official websites of motherboard vendors.

So far, it appears that the victims of CosmicStrand are consumers from China, Vietnam, Iran, and Russia.

From its research, the Russian antivirus company found similarities between CosmicStrand and a previous botnet called “MyKings” due to their code patterns (image above). The latter originated in China, so Kaspersky believes the same is also possible for the new CosmicStrand rootkit.

Source: Kaspersky via The Hacker News