The security threat research team at antivirus-maker Kaspersky has discovered a malware called "CosmicStrand". The malware, in fact, isn't new as an earlier variant of this dubbed "Spy Shadow trojan" has been around since 2016-17.
CosmicStrand is a UEFI rootkit found in infected Asus and Gigabyte firmwares and as such, it is what we call an Advanced Persistent Threat (APT) since it is hard to get rid of. No amount of Windows reinstalls will be able to remove a UEFI rootkit like this.
Speaking of Windows, Kaspersky has found that so far, only Windows systems have been attacked and compromised:
All of the attacked machines were Windows-based: every time a computer rebooted, a bit of malicious code would be executed after Windows started. Its purpose was to connect to a C2 (command-and-control) server and download an additional malicious executable.
The anti-malware maker has described in its in-depth Securelist article how the threat actors carry out this entire C2 connection process to deliver the malicious payload during boot up:
The workflow consists in setting hooks in succession, allowing the malicious code to persist until after the OS has started up. The steps involved are:
- The initial infected firmware bootstraps the whole chain.
- The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before it is executed.
- By tampering with the OS loader, the attackers are able to set up another hook in a function of the Windows kernel.
- When that function is later called during the normal start-up procedure of the OS, the malware takes control of the execution flow one last time.
- It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.
Kaspersky, however, is unable to determine how the infections were carried out in the first place. Some users have reported that the second-hand motherboards they ordered online were already infected when they received them:
The researchers were unable to determine how the rootkit ended up on the infected machines in the first place, but unconfirmed accounts discovered online indicate that some users have received compromised devices while ordering hardware components online.
For Gigabyte and Asus motherboard users running Windows, enabling Secure Boot may be a viable option to fend off any harmful effects. Of course, the best thing to do is probably to re-flash your BIOS but do make sure to download the firmware from the motherboard vendors' official websites.
So far, it looks like the victims of CosmicStrand are consumers from China, Vietnam, Iran, and Russia.
From its research, the Russian antivirus company has found similarities between CosmicStrand and an earlier botnet called "MyKings" due to their code patterns (image above). The latter had it origins in China, so Kaspersky thinks that the same is also possible for the new CosmicStrand rootkit.