top of page

Taking a Deeper Look Into New UEFI Invisible Rootkit


The thing about malware is that anti-malware signatures assign a unique hash that is used to identify it. If it can be detected before its nasty payload is deployed, then, it is known, and a defense exists.


Most malware burrows itself into the operating system layer, though a smart malware writer will code their script to hide within the device’s hardware, allowing it to evade OS-level security audits. I am describing rootkits.


The thing about rootkits is that they are not all cut from the same cloth. While some can hide within a device’s hardware or inject themselves within the device’s firmware, others can infect your bootloader. This means, that the malicious code is activated before your device’s operating system is loaded.


Others can hide within your memory or replace or infect your most commonly used applications, so the malicious code is activated every instance you run the app. And some can infect the kernel or registry, the hive or brain of your operating system.


The issue with rootkits of this nature is that it does not matter how many times you reinstall the operating system. They are usually still there. One of my second-hand laptops has a rootkit that affects the device’s performance. I did not realize it was a rootkit until I found artifacts hidden on the file system left over by the attacker.


After attempting to reinstall Windows several times, I found that the problems persisted. Even though my laptop was triple-booted, it did not matter what OS I used. It was embedded somewhere within the hardware, excluding the RAM. A memory dump did not eliminate the problem.



Researchers Dig Deep to Understand UEFI Rootkit


Now, fast-forward to the present day. Researchers from Kaspersky have made a disturbing discovery. A persistent Unified Extensible Firmware Interface-based rootkit, referred to by the researchers as CosmicStrand, has remained extant since its first deployment in 2016. The UEFI rootkit is among only a handful of similar rootkits that have been detected in the wild.


It is a rather sophisticated malware and is thought to be generally beyond the scope of skill sets employed by most threat actors due to the technical knowledge required to develop UEFI malware of this level. Because of this, there are not many UEFI-based rootkits out there in the wild. The required technical prowess is in a league of its own.


UEFI is a base-level firmware that comes with your motherboard and is the first thing that runs whenever you boot up any modern computer, regardless of the OS you use. It is a security feature that allows troubleshooting and it is embedded in an SPI-connected flash storage chip directly connected to the computer’s motherboard.


Imagine having a sophisticated piece of malware hiding in a microchip, and activated every time you turn on your computer. That is exactly what CosmicStrand is and does. Kaspersky has attributed the rootkit to an unidentified hacking group operating out of China, who ostensibly have ties to crypto mining malware.

In 2017, researchers from an associated security firm, Qihoo 360 found and reported on an earlier variation of the rootkit, in the form of a bootkit. Bootkits are designed to load as early as possible during the boot process.


It had infected the BIOS, and reinstalling the OS proved futile. It was hiding within the motherboard, and though antivirus software altered the user of the malicious presence, it could not be purged by any conventional means.


Additionally, it created a secret user account, allowing the attacker remote access to the infected machine. For this reason, researchers dubbed it Spy Shadow Trojan, at the time. What is interesting about Spy Shadow Trojan is that it was the first instance of malware infecting a UEFI motherboard. It could infect the BIOS boot module in UEFI compatibility mode, impacting UEFI and GPT mode.


Thus, it could be said that CosmicStrand is what Spy Shadow Trojan has become.

Researchers from Kaspersky said--


“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 — long before UEFI attacks started being publicly described. This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”

What is interesting about CosmicStrand is that it is programmed to make certain modifications to the normal execution flow of the boot process, known as “hooks.” This can consist of code provided by the attacker, but it can also come from a legitimate user who can inject code before or after certain functions to cause new functions to occur.


Think about it. If an attacker was able to tamper with the bootloader of your system, it could be the perfect launching pad to modify the Windows kernel, set up a C2 server for the attacker to access the file system, and deploy additional payloads, and all by infecting the system’s firmware embedded on a chip within the motherboard. I do not even want to imagine a computer manufacturer falling prey to these kinds of attacks before systems reach store shelves.


CosmicStrand’s execution chain initiates with a driver, that appears authentic, called CSMCORE, which establishes a pointer to a boot service function called a HandleProtocol.


Therefore, during the instance when the HandleProtocol is called, the execution is transferred to code supplied by the threat actor, which looks for certain criteria looking back at the component that called it and the specific bytes that were included in the return address.



Kaspersky explained--


“This specific point in the execution was chosen because at this stage, the boot manager is loaded in memory but isn’t yet running. CosmicStrand seizes this chance to patch a number of bytes in its Archpx64TransferTo64BitApplicationAsm."

Ultimately, the process might be technically dense to some readers. While the discovery of the extant rootkit by researchers has seemingly not disclosed an immediate fix, doing so might constitute an article unto itself and might be best suited for another time.


Nevertheless, it is interesting that such a vastly sophisticated piece of malware has continued to operate under the radar, thriving right under our noses.



An article by

Jesse McGraw


Edited by

Anne Caminer





25 views
Screen Shot 2022-06-13 at 4.57.16 PM.png

Detect, respond, prevent and SOAR with ORNA

Subscribe

Weekly cyber insights

Thanks for submitting!

bottom of page