Researchers have discovered malware which has been secretly infecting systems with Asus and Gigabyte motherboards for at least six years.
Since 2016, Chinese-speaking hackers have been infiltrating machines with CosmicStrand malware, according to a bleeping computer report.
In particular, once malicious code has been distributed, it remains largely undetected within firmware images for certain motherboards. This particular method of targeting firmware images is classified as a Unified Extensible Firmware Interface (UEFI) rootkit.
The strain was named CosmicStrand by researchers working for the cybersecurity firm Kaspersky. However, an earlier version of the malware, dubbed Spy Shadow Trojan, was initially discovered by Qihoo360 analysts.
For reference, UEFI is an important application that connects an operating system with the firmware of the hardware itself. As such, UEFI code is what is executed when a computer initially boots up, even before any system security measures.
As a result, malware that has been placed in the UEFI firmware image is extremely effective at evading detection measures. More worrying, however, is the fact that the malware cannot be technically removed by performing a clean reinstall of the operating system. You can’t even get rid of it by replacing the storage drive.
“This driver was modified to intercept the boot sequence and insert malicious logic into it,” said Mark Lechtik, who previously worked as a reverse engineer for Kaspersky.
Kaspersky said it found that the CosmicStrand UEFI rootkit was discovered within firmware images of Gigabyte or Asus motherboards using the H81 chipset, which is associated with hardware sold between 2013 and 2015.
The victims of CosmicStrand were private individuals located within China, Iran, Vietnam, and Russia, and thus could not be linked to a nation state, organization, or industry. That said, researchers confirmed a link from CosmicStrand to a Chinese-speaking threat actor due to code patterns that appeared in a separate crypto mining botnet.
Kaspersky emphasized that the COSMICStrand UEFI firmware rootkit can more or less remain on an infected system forever.
UEFI malware was first reported in 2018 by another online security company, ESET. Known as LoJax, it was used by Russian hackers belonging to the APT28 group. Since then, the number of UEFI-based rootkits infecting systems has steadily increased, including ESPecter, a kit said to have been deployed for espionage purposes since 2012.
Elsewhere, security analysts said it spotted “the most advanced UEFI firmware” earlier this year in the form of MoonBounce.