Thunderstrike 2 rootkit infects Mac firmware

A security researcher developed an improved version of the Thunderstrike rootkit that uses Thunderbolt accessories to infect the Mac firmware.

Earlier this year, security expert Trammell Hudson presented a proof-of-concept firmware called Thunderstrike. Thunderstrike is a hacking technique to infect Apple’s Mac PCs with EFI Bootkit through the Thunderbolt port.

The expert demonstrated how to compromise accessories connected to the Thunderbolt port to infect Mac PC. The expert demonstrated that the malware inoculated through Thunderbolt port can also infect other Mac by propagating to other accessories.

All Mac computers that come with a Thunderbolt port are theoretically vulnerable to attack.

In January 2015 Apple released the version OS X 10.10.2 to patch the exploit, but a couple of researchers have developed a new malware based on the Thunderstrike code, dubbed “Thunderstrike 2.”

Xeno Kovah, a researcher from the Hudson and LegbaCore, demonstrated that Thunderstrike 2 spreads primarily through infected Thunderbolt accessories.

The Kovah’s hacking technique improved the previous one, it overwhelms the need to have a physical access to the target computer. The attacker can spread the exploit via phishing emails or through a compromised web.

“An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site. That malware would then be on the lookout for any peripherals connected to the computer that contain option ROM, such as an Apple Thunderbolt Ethernet adapter, and infect the firmware on those. The worm would then spread to any other computer to which the adapter gets connected.” states a post published by Wired.

Thunderstrike 2, such as many other firmware malware, are not easy to detect by common antivirus software. Another aspect to consider is the difficulty to remove Thunderstrike 2 firmware malware, as explained in the FAQ it is not possible to use the Option ROM technique to replace the modified boot ROM with a clean and legitimate copy.

“You can’t use Thunderstrike to remove Thunderstrike“

Another element of concern is that the security vulnerabilities exploited by Thunderstrike 2 are common to most EFI firmware.

Security experts have already discovered six vulnerabilities that affected PCs from Dell, HP, Lenovo, Samsung, and others.

“Of those, five also applied to the Mac’s firmware, and of those, Apple has fully patched one, partially patched another, and failed to patch three more.” states Arstechnica.

The expert already reported the flaws to Apple that likely will patch them in the next release.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Thunderstrike 2, malware)

[adrotate banner=”12″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.