"New CosmicStrand Rootkit Targets Gigabyte and ASUS Motherboards"

A rootkit called CosmicStrand has been discovered in the Unified Extensible Firmware Interface (UEFI) of specific computers. The rootkit, according to researchers, is stored in the firmware images of Gigabyte or ASUS motherboards. The infected firmware images are linked to designs that use the H81 chipset, indicating the existence of a common vulnerability that allowed the attackers to inject the rootkit into the firmware image. The firmware images affected have been modified to run the malicious code at system startup. On the affected machine, a long execution chain is triggered to download and deploy malicious content inside the kernel of the Windows operating system. The firmware's initial entry point has been patched to redirect to code execution added in the .reloc section. According to the researchers, the firmware is being modified with an automated patcher, implying that the attackers had prior access to the victim's computer in order to extract the firmware, inject the malicious code, and then overwrite the motherboard's firmware. As the goal of this rootkit is to allow malicious code to run at the kernel level of the operating system, the infection chain is far more complex than that of a typical malware infection. Since the UEFI code runs before the Windows system loads, the attacker must find a way to pass the malicious code to the operating system before it is launched, even though the UEFI code will have been terminated. The attacker does this by stringing together multiple hooks, allowing the malicious code to be executed after the operating system has been launched. During the infection chain, the rootkit disables Kernel Patch Protection (KPP), also known as PatchGuard, a 64-bit Windows security mechanism that prevents changes to key Windows kernel structures in memory. The CosmicStrand rootkit allocates a buffer in the kernel's address space and maps a shellcode before executing it. This article continues to discuss the concept of rootkits, how CosmicStrand works, and the probable threat actor behind this rootkit.

TechRepublic reports "New CosmicStrand Rootkit Targets Gigabyte and ASUS Motherboards"