Pierluigi Paganini
May 31, 2023
Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems.
The experts discovered that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. The executable is utilized for insecure downloading and execution of additional payloads. The experts pointed out that this is the same behavior observed for other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) and firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK.
Further analysis revealed that this behavior is present in hundreds of models of Gigabyte PCs.
“This backdoor appears to be implementing intentional functionality and would require a firmware update to completely remove it from affected systems.” reads the analysis from Eclypsium. “While our ongoing investigation has not confirmed exploitation by a specific threat actor, an active widespread backdoor that is difficult to remove poses a supply chain risk for organizations with Gigabyte systems.”
Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue.
Upon analyzing of the impacted UEFI firmware, the researchers identified a file named
File Name: 8ccbee6f7858ac6b92ce23594c9e2563ebcef59414b5ac13ebebde0c715971b2.bin, which is a Windows Native Binary executable. The executable resides in a UEFI firmware volume.
The firmware writes the executable to disk at the system boot process, this technique is commonly employed by UEFI implants and backdoors.
The executable can be used to carry out malicious activities such as downloading and executing additional payloads.
The Windows executable is a .NET application that downloads and runs an executable payload from one of the following locations, depending on its configuration:
The experts pointed out that the use of HTTP opens the doors to Machine-in-the-middle (MITM) attacks. The researchers also noticed that even when using the HTTPS protocol, the validation of the remote server certificate is not implemented correctly allowing MITM attacks also in that case.
Compounding the situation, the firmware doesn’t support digital signature verification for the executables.
“The dropped executable and the normally-downloaded Gigabyte tools do have a Gigabyte cryptographic signature that satisfies the code signing requirements of Microsoft Windows, but this does little to offset malicious use, especially if exploited using Living-off-the-Land techniques (like in the recent alert regarding Volt Typhoon attackers).” continues the report. “As a result, any threat actor can use this to persistently infect vulnerable systems either via MITM or compromised infrastructure.”
The backdoor-like behavior likely impacts more than three hundred Gigabyte systems
These issues expose organizations wide a wide range of attack scenarios.
Eclypsium recommends the following actions to minimize the risk:
The researchers are working with Gigabyte to address this issue.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Gigabyte)
