For the unversed, UEFI (Unified Extensible Firmware Interface) firmware is tasked with booting up Windows computers, including the loading of the operating system, even before any security measures of the system. As a result, malware that has been placed in the UEFI firmware image is particularly hard to detect which makes it difficult to remove it by performing a clean reinstall of the operating system or even by replacing the storage drive. While the researchers were not able to determine how the victim machines were infected initially, but an analysis of their hardware allowed the experts to discover what devices can be infected by the CosmicStrand. They found the rootkit located in the firmware images of older ASUS and Gigabyte motherboards, which are associated with hardware using the H81 chipset sold between 2013 to 2015. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image. “In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows,” reads the analysis published by the experts. “Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware.” Check out Kaspersky’s in-depth Securelist article that describes how the threat actors deliver the malicious payload during boot up: The workflow consists in setting hooks in succession, allowing the malicious code to persist until after the OS has started up. The steps involved are:
The initial infected firmware bootstraps the whole chain. The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before it is executed. By tampering with the OS loader, the attackers are able to set up another hook in a function of the Windows kernel. When that function is later called during the normal start-up procedure of the OS, the malware takes control of the execution flow one last time. It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.
While Kaspersky is unable to determine how the rootkit ended up on the infected machines in the first place, some users reported that they received compromised devices after placing an order at a second-hand reseller. According to the researchers, the UEFI firmware rootkit was used majorly to attack private individuals in China, Vietnam, Iran, and Russia with no link with any organization or industry vertical. Further, the Russian antivirus company has linked CosmicStrand to a Chinese-speaking actor based on the similarities seen in an earlier botnet called “MyKings” due to their code patterns. “The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described. This discovery begs a final question: if this is what the attackers were using back then, what are they using today?” reads the analysis. Back in 2017, an earlier variant of the malware was first spotted by the Chinese security firm Qihoo360, who named it Spy Shadow Trojan. In recent years, researchers have found additional UEFI rootkits such as MosaicRegressor, FinSpy, ESpecter, and MoonBounce.