Researchers at cybersecurity company Kaspersky have discovered a new form of malware that resides in the motherboard’s UEFI. Malware is a type of rootkit that remains in place even after cleaning or replacing the host hard drive or SSD.
Kaspersky Lab engineers named it CosmicStrand. It is reportedly an evolution of an earlier malware called Spy Shadow Trojan that was discovered back in 2016. Researchers have found CosmicStrand malware in Asus and Gigabyte motherboard firmware. However, you should not panic.
The infected systems ran on motherboards based on the H81 chipset, which is many years old. The attacker would also need to access the system or install other malware to update or patch the firmware to inject the CosmicStrand malware. So if you’re reading this, don’t assume that Asus or Gigabyte systems have been insecure all these years, or that your system has been compromised. Until further research is done, it may be that CosmicStrand will only be able to exploit the possible H81 UEFI vulnerability.
The malware installs a series of interceptors that allow access to the Windows kernel, which ultimately leads to the infected OS receiving a load that will be executed on the victim’s computer. Kaspersky Lab engineers were unable to obtain the payload itself, but they believe the malware shares code patterns with the Chinese group responsible for the MyKings cryptocurrency mining botnet.
UEFI, or Unified Extensible Firmware Interface, is almost like a mini OS. It is the interface between the system hardware and software, meaning it affects the OS and all system software. UEFI is generally secure and requires some coding knowledge. Very few UEFI threats are known.
The Kaspersky Lab report states that “the numerous rootkits discovered so far are indicative of a blind spot in our industry that needs to be addressed as soon as possible“.
So while the threat is limited, it highlights the need for the industry to pay close attention to possible vulnerabilities.