Researchers have discovered malware that has been secretly infecting systems featuring Asus and Gigabyte motherboards for at least six years.
Since 2016, Chinese-speaking hackers have been infiltrating machines with the CosmicStrand malware, according to a report from Bleeping Computer.
Notably, once the malicious code has been distributed, it remains largely undetected within the firmware images for certain motherboards. This particular method of targeting firmware images is classified as a Unified Extensible Firmware Interface (UEFI) rootkit.
The strain was named CosmicStrand by researchers working for cybersecurity firm Kaspersky. However, a previous version of the malware — dubbed Spy Shadow Trojan — was initially uncovered by analysts at Qihoo360.
For reference, UEFI is an important application that attaches an operating system with the firmware of the hardware itself. As such, UEFI code is what runs when a computer initially starts up, even before any security measures of the system.
As a result, malware that has been placed in the UEFI firmware image is extremely effective in evading detection measures. More worryingly, however, is the fact that the malware can’t technically be removed by operating a clean reinstall of the operating system. You can’t even get rid of it by replacing the storage drive.
“This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” said Mark Lechtik, who previously worked as a Kaspersky reverse engineer.
Kaspersky said it found that the CosmicStrand UEFI rootkit was discovered within the firmware images of Gigabyte or Asus motherboards utilizing the H81 chipset, which is associated with hardware sold between 2013 to 2015.
CosmicStrand victims were private individuals located within China, Iran, Vietnam, and Russia, and thus links to a nation state, organization, or industry could not be established. That said, researchers confirmed a CosmicStrand link to a Chinese-speaking threat actor due to code patterns that made an appearance in a separate cryptomining botnet.
Notice: Trying to access array offset on value of type null in /home/blackeco/public_html/wp-content/themes/goodnews5/framework/functions/posts_share.php on line 66
Notice: Trying to access array offset on value of type null in /home/blackeco/public_html/wp-content/themes/goodnews5/framework/functions/posts_share.php on line 82