Kaspersky security researchers have discovered a rootkit named CosmicStrand, located in the firmware images of Gigabyte and ASUS motherboards.
“CosmicStrand is a sophisticated UEFI firmware rootkit that allows its owners to achieve very durable persistence: the whole lifetime of the computer, while at the same time being extremely stealthy,” Kaspersky said.
A rootkit is software implanted in a computer that can give attackers administrator access where the system would have otherwise denied it.
In this case, it could have been used to let attackers install more malware, steal data, and use the machines in botnets.
“The goal of this execution chain is to deploy a kernel-level implant into a Windows system every time it boots, starting from an infected UEFI component,” Kaspersky said.
“Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher,” Kaspersky said.
“If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware.”
The researchers attribute the malware to a Chinese-speaking threat actor and have identified victims in China, Vietnam, Russia, and Iran.
They said all the victims in their user base were private individuals using Kaspersky Anti-Virus’ free version.
Kaspersky said that ComicStrand seems to have been used in the wild since the end of 2016.
“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described.”
“This discovery begs a final question: if this is what the attackers were using back then, what are they using today?”
In 2017, Chinese cybersecurity company Qihoo360 published a blog post about an early version of the CosmicStrand malware family.
Qihoo360 advised consumers to use official channels to buy computer accessories to prevent falling victim to spyware Trojans.
“The multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later,” Kaspersky said.