Researchers Discover UEFI-based Rootkit Exploited In The Wild Since 2016

Share post:

Kaspersky researchers on Monday uncovered CosmicStrand, a sophisticated UEFI rootkit that the company discovered through its antivirus software.

The malicious Unified Extensible Firmware Interface (UEFI) rootkit has been exploited by attackers in the wild since 2016. Researchers linked the malware to an unknown Chinese-speaking hacking group that has possible links to cryptominer malware.

UEFI is almost called an operating system and is located in a flash memory chip connected to SPI that is soldered to the computer motherboard, making it difficult to execute or patch the code.

The purpose of the malware is to ensure that computers remain infected even if an operating system is reinstalled or a hard drive is completely replaced.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described. This discovery begs a final question: If this is what the attackers were using back then, what are they using today,” the Kaspersky researchers wrote.

The CosmicStrand execution chain starts with a driver that appears to be a modification of a legitimate one called CSMCORE. CSMCORE creates a pointer to a boot service function known as HandleProtocol. Once HandleProtocol is called, the execution is redirected to code supplied by the attacker that checks for certain criteria, including the called component and specific bytes contained in the return address.

Before the Windows kernel starts running, CosmicStrand adds another check mark in the ZwCreateSection function, which injects malicious shellcode into the image of a file named ntoskml.exe.

The sources for this piece include an article in Arstechnica.


Related articles

Cyber Security Today, Week in Review for week ending Friday, June 21, 2024

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday June...

Cyber Security Today, June 21, 2024 – US to ban Kaspersky for businesses, consumers

U.S. to ban the sale of Kaspersky products to consumers and businesses. Welcome to Cyber Security Today. It's Friday...

Biden administration to ban US sales of Kaspersky software over ties to Russia

The Biden administration is set to announce a ban on the sale of Kaspersky Lab's antivirus software in...

Target’s new AI is aimed at employees

Target is introducing a new generative artificial intelligence tool aimed at enhancing the efficiency of its store employees...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways