CosmicStrand, a new sophisticated UEFI firmware rootkit linked to China

Kaspersky uncovered a new UEFI firmware rootkit, tracked as CosmicStrand, which it attributes to an unknown Chinese-speaking threat actor.

Researchers from Kaspersky have spotted a UEFI firmware rootkit, named CosmicStrand, which has been attributed to an unknown Chinese-speaking threat actor. This malware was first spotted by Chinese firm Qihoo360 in 2017.

The researchers were not able to determine the initial attack vector, but the analysis of the malicious code allowed the experts to discover which devices can be infected by the CosmicStrand. The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, which are related to designs using the H81 chipset. The researchers speculate the existence of a common vulnerability that was exploited by the attackers to inject the rootkit into the firmware’s image.

“In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.” reads the analysis published by the experts. “Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware.”

The researchers believe that the attackers could have used a precursor malware implant to inject the rootkit or may have had physical access to the target device.

The infection process aims at tampering with the OS loader to set up another hook in a function of the Windows kernel. Once this function is called during the normal bootstrap procedure of the OS, the malware takes control of the execution flow one last time.

The malicious code injects a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the target machine.

CosmicStrand retrieves the final payload by sending a specifically crafted UDP (preferably) or TCP packet to the C2 server (update.bokts[.]com), which in turn replies one or several packets containing chunks of 528 bytes with a specific structure. Then the chunks are reassembled into a series of bytes that are mapped into kernel space and interpreted as a shellcode.

The victims identified by the researchers are private individuals located in China, Vietnam, Iran, and Russia, with no link with any organization or industry vertical.

The experts attribute the rootkit to a Chinese-speaking threat actor due to code overlaps between CosmicStrand and other malware strains, such as the MyKings botnet and the MoonBounce UEFI implant.

“CosmicStrand is a sophisticated UEFI firmware rootkit that allows its owners to achieve very durable persistence: the whole lifetime of the computer, while at the same time being extremely stealthy. It appears to have been used in operation for several years, and yet many mysteries remain.” concludes the report. “How many more implants and C2 servers could still be eluding us? What last-stage payloads are being delivered to the victims? But also, is it really possible that CosmicStrand has reached some of its victims through package “interdiction”? In any case, the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CosmicStrand)

[adrotate banner=”5″]

[adrotate banner=”13″]