ASUS & Gigabyte Motherboards With Intel Chipsets Vulnerable To CosmicStrand “UEFI Firmware Rootkit” Malware

A new malware known as CosmicStrand has been discovered by Kaspersky which affects ASUS & Gigabyte motherboards featuring Intel chipsets.

The report states that CosmicStrand is a type of UEFI Firmware Rootkit, a type of malware that implants itself in the deepest corners of the OS, making them very difficult to detect and since this is a rootkit we are talking about, it will ensure that the affected computer stays within the infected state even when the OS is reinstalled or the user replaces the HDD entirely. An early variant of the CosmicStrand malware dates all the way back to 2017 which was discovered by a Chinese author but the new version leaves the PC in a more vulnerable state.

According to the report, the CosmicStrand malware mostly affects ASUS & Gigabyte motherboards based on the Intel H81 chipset. The rootkit attaches itself to the firmware images of motherboards from the said company which indicates that a common vulnerability may exist that allows attackers to inject rootkit into the firmware images.

UEFI malware authors face a unique technical challenge: their implant starts running so early in the boot process that the operating system (in this case Windows) is not even loaded in memory yet – and by the time it is, the UEFI execution context will have terminated. Finding a way to pass down malicious code all the way through the various startup phases is the main task that the rootkit accomplishes.

The workflow consists in setting hooks[1] in succession, allowing the malicious code to persist until after the OS has started up. The steps involved are:

The initial infected firmware bootstraps the whole chain.

The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before it is executed.

By tampering with the OS loader, the attackers are able to set up another hook in a function of the Windows kernel.

When that function is later called during the normal start-up procedure of the OS, the malware takes control of the execution flow one last time.

It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.

It is said that victims were identified in several regions including China, Vietnam, Iran & Russia. PCs within these regions have been affected by CosmicStrand and appear to be private individuals. It is believed that the CosmicStrand malware was developed by a Chinese-speaking threat actor "by leveraging common resources shared among Chinese-speaking threat actors."

CosmicStrand is a sophisticated UEFI firmware rootkit that allows its owners to achieve very durable persistence: the whole lifetime of the computer, while at the same time being extremely stealthy. It appears to have been used in operation for several years, and yet many mysteries remain. How many more implants and C2 servers could still be eluding us? What last-stage payloads are being delivered to the victims? But also, is it really possible that CosmicStrand has reached some of its victims through package “interdiction”? In any case, the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later.

The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described. This discovery begs a final question: if this is what the attackers were using back then, what are they using today?

So far, there seems to be no workaround for the CosmicStrand vulnerability, and it's advisable to refrain from getting an older Gigabyte and ASUS motherboard based on an older Intel H81 chipset. But this tell us that there might be even more variants of BIOS firmware-related vulnerabilities out there considering that CosmicStrand has been out in the wild for a few years now.