"Cybercriminal Sells Tool to Hide Malware in AMD, NVIDIA GPUs"
Cybercriminals are continuing to make progress with attacks involving malware that can execute code from a compromised system's graphics processing unit (GPU). This method is not new as demo code has been published previously. However, projects on this method have been academic or incomplete and unrefined. Earlier in August, a proof-of-concept (PoC) was found being sold on a hacker forum, thus suggesting that cybercriminals might be transitioning to a new level of sophistication for their attacks. The PoC is for a method said to protect malicious code from security solutions scanning the system RAM. The overview provided by the seller says that the method uses the GPU memory buffer to store and execute malicious code. According to the seller, the technique only works on Windows systems supporting versions 2.0 and above of the OpenCL framework for executing code on different processors, including GPUs. They claimed to have tested the code on graphics cards from Intel (UHD 620/630), Radeon (RX 5700), and more. Another member of the hacker forum pointed out that the GPU-based malware has been done before, citing JellyFish, which is a six-year PoC for a Linux-based GPU rootkit. The seller rejected this connection with the JellyFish malware, claiming that their method is different and does not depend on code mapping back to userspace. Two weeks after the announcement about this PoC on the hacker forum, the seller said they had sold the PoC, but they did not disclose the terms of the deal. This article continues to discuss the hacker forum advertisement of a PoC technique for both storing and executing malware on a graphics card, as well as the academic research that has been done on GPU-based malware.
Bleeping Computer reports "Cybercriminal Sells Tool to Hide Malware in AMD, NVIDIA GPUs"