Researchers Discover UEFI-based Rootkit Exploited In The Wild Since 2016

Share post:

Kaspersky researchers on Monday uncovered CosmicStrand, a sophisticated UEFI rootkit that the company discovered through its antivirus software.

The malicious Unified Extensible Firmware Interface (UEFI) rootkit has been exploited by attackers in the wild since 2016. Researchers linked the malware to an unknown Chinese-speaking hacking group that has possible links to cryptominer malware.

UEFI is almost called an operating system and is located in a flash memory chip connected to SPI that is soldered to the computer motherboard, making it difficult to execute or patch the code.

The purpose of the malware is to ensure that computers remain infected even if an operating system is reinstalled or a hard drive is completely replaced.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described. This discovery begs a final question: If this is what the attackers were using back then, what are they using today,” the Kaspersky researchers wrote.

The CosmicStrand execution chain starts with a driver that appears to be a modification of a legitimate one called CSMCORE. CSMCORE creates a pointer to a boot service function known as HandleProtocol. Once HandleProtocol is called, the execution is redirected to code supplied by the attacker that checks for certain criteria, including the called component and specific bytes contained in the return address.

Before the Windows kernel starts running, CosmicStrand adds another check mark in the ZwCreateSection function, which injects malicious shellcode into the image of a file named ntoskml.exe.

The sources for this piece include an article in Arstechnica.

SUBSCRIBE NOW

Related articles

Canadian Cyber Defence Agency Lists India as a Cybersecurity Threat for First Time

Canada's federal cyber defence agency, the Communications Security Establishment (CSE), has identified India as a cybersecurity threat to...

Casting a Hex and Deceptive Delight: Jailbreaking Techniques Targeting AI Models

OpenAI's GPT-4o language model can be tricked into generating exploit code by encoding malicious instructions in hexadecimal, according...

CRA Admits to Massive Underreporting of Cyberattacks

The Canada Revenue Agency (CRA) has acknowledged that tens of thousands of taxpayer accounts were hacked between March...

Apple Launches $1 Million Bug Bounty for Hacking Apple Intelligence Servers

Apple has announced a new bug bounty program offering up to $1 million to individuals who can successfully...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways