Researchers at cybersecurity firm Kaspersky have discovered a new form of malware that exists in UEFI on motherboards. Malware is a type of rootkit that remains present even after the host’s hard drive or SSD has been wiped or replaced.
Kaspersky engineer (via Bleeping Computer (Opens in a new tab)) Named Cosmic Strand (Opens in a new tab).. This is reported to be an evolution of an early malware discovered by 2016 called the Spy Shadow Trojan. Researchers have discovered Cosmic Strand malware in Asus and Gigabyte motherboard firmware. But don’t panic! I will explain.
The infected system was running a motherboard based on the H81 chipset, which dates back many years. The attacker would also need to access the system or install another malware to update or patch the firmware and inject the Cosmic Strand malware. So, if you’re reading this, don’t assume that your Asus or Gigabyte system is unsafe or at risk for all these years. Until further investigation, Cosmic Strand may only be able to exploit potential vulnerabilities in H81 UEFI.
The malware sets up a set of hooks that allow access to the Windows kernel, eventually causing the infected operating system to retrieve the payload that runs on the victim’s machine. Kaspersky engineers couldn’t get the payload itself, but believe the malware shares a code pattern with the Chinese group responsible for the MyKings crypto mining botnet. And that’s normal. A scum bag trying to steal or make money.
UEFI (Unified Extensible Firmware Interface) is almost like a mini OS. This is the interface between the system hardware and software. That is, it affects the OS and all software on the system. UEFI is usually secure and requires specific code knowledge. There are few known UEFI threats.
“The multiple rootkits discovered so far show that there are industry blind spots that need to be addressed sooner rather than later,” Kaspersky reports.
Therefore, the threat is limited, but it highlights the need for the industry to pay close attention to potential vulnerabilities. The temptation of one million infected machines to secretly mine crypto coins is a huge hanging carrot for malicious actors.
