Kaspersky Researchers Dissect Bootup RootkitUEFI Malware Comes From Chinese-Speaking Threat Actor
Chinese-speaking hackers are overwriting firmware to nestle rootkits deep into personal computers with examples spotted in booting systems built by two Taiwanese PC manufacturers.
Researchers from Russian cybersecurity firm Kaspersky say they found malware they've dubbed CosmicStrand in firmware images of Gigabyte or ASUS motherboards. The malware delivers a kernel-level implant into a Microsoft Windows system each time the computer boots, since hackers modified the interface between Windows and the boot firmware, an interface known as Unified Extensible Firmware Interface. UEFI replaced the older Basic Input/Output System, or BIOS, firmware interface.
Bootkit malware is especially pernicious, since it can be used to establish permanent persistence in a laptop in a logical layer beyond the reach of ordinary antivirus detection.
Infected motherboards examined by Kaspersky all ran on Intel's H81 chipset, suggesting "a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image." Intel discontinued the chipset in 2020 after introducing it in mid-2013. The company did not immediately respond to Information Security Media Group's inquiry.
Victims of CosmicStrand appear to be private individuals from China, Vietnam, Iran and Russia. Chinese researchers at Qihoo360 in 2017 discovered earlier versions of the same malware family.
Kaspersky says CosmicStrand is used by an unknown Chinese-speaking threat actor. It shares code characteristics with malware known as MyKings used to infect servers with cryptocurrency mining software. A 2020 report from Sophos noted the presence of Chinese text in MyKings.
In addition, the DNS server used by CosmicStrand is located in Chinese IP space technically known as AS 4134 that's controlled by China Telecom, a fact that "could be perceived as a very low-confidence sign that the attackers are part of the Chinese-speaking nexus."
The nature of the malware suggests hackers either had physical access to infected machines or implanted precursor malware. Qihoo's 2017 report suggested the infection may have occurred through a backdoored motherboard obtained from a secondhand reseller, an assertion Kaspersky says it's unable to confirm.
CosmicStrand execution begins with a corruption of system initialization. The malware appears to be a patched version of a legitimate driver known as CSMCORE that's meant to point to the HandleProtocol boot service function. Instead, the driver points to the malware, which modifies the Archpx64TransferTo64BitApplicationAsm function called during the normal operating system startup process, at a moment when the Windows OS loader is present in memory and vulnerable to modification.
Before the Windows kernel can run, CosmicStrand sets up another hook into the system process called ZwCreateSection. At this point, the malware also seemingly attempts to disable a Microsoft security feature known as PatchGuard meant to protect the kernel.
When the kernel starts, it ends up calling a modified ZwCreateSection, allowing CosmicStrand to load additional malicious code.
Finding a way to pass malicious code through the startup phases is the main task for the rootkit, according to the researchers. It then contacts a command-and-control server to obtain the actual malicious payload.
An older version of the rootkit, likely used between the end of 2016 and mid-2017, had a similar deployment process, researchers add. The samples they studied were active in 2020.