"Rare 'CosmicStrand' UEFI Rootkit Swings into Cybercrime Orbit"

The "CosmicStrand" Windows firmware rootkit has emerged in the cyberthreat landscape, targeting the Unified Extensible Firmware Interface (UEFI) for stealth and persistence. UEFI firmware is in charge of booting up Windows computers and loading the operating system. As a result, if the firmware contains malicious code, that code will execute before the operating system, rendering it invisible to most security measures and operating system-level defenses. This, combined with the fact that the firmware is on a chip separate from the hard drive, makes attacks on UEFI firmware significantly evasive and persistent. According to researchers, no matter how many times the operating system is reinstalled, the malware will remain on the device. After a lengthy execution chain, the code deploys a malicious component inside the Windows operating system. This component connects to a command-and-control server (C2) and waits for commands to download more malicious code snippets, which the malware maps into kernel space and assembles into shellcode. Researchers obtained a shellcode sample that was used to create a new user on the victim's machine and add it to the local administrators group. They can deduce from this that shellcodes received from the C2 server could be stagers for attacker-supplied PE executables, and that there are likely many more. Rootkits pose a significant risk, according to the US Department of Homeland Security (DHS) and Department of Commerce in a March report on firmware threats. Attackers can bypass most security systems by subverting OS and hypervisor visibility, hiding and persisting in networks and devices for extended periods of time while conducting attack operations, and inflicting irreversible damage. According to the researchers, this campaign appears to be highly targeted to specific individuals in China, with some cases seen in Iran and Vietnam. It is unclear what CosmicStrand's ultimate goal is, but it is most likely an espionage campaign. Researchers attributed the campaign to an unknown Chinese-speaking Advanced Persistent Threat (APT) with overlaps with the MyKings botnet gang. This article continues to discuss findings surrounding the CosmicStrand UEFI rootkit. 

Dark Reading reports "Rare 'CosmicStrand' UEFI Rootkit Swings into Cybercrime Orbit"