ASUS and Gigabyte motherboards carried CosmicStrand malware

August 1, 2022
ASUS Gigabyte Motherboard CosmicStrand Malware Hardware Vulnerability UEFI Rootkit Chinese Hackers

Cybersecurity researchers have spotted the CosmicStrand malware inside the devices of Gigabyte and ASUS motherboards. CosmicStrand is a new strain of UEFI rootkit that is becoming a trend among China-based threat groups. Chinese-speaking threat actors utilised the well-known rootkit since at least 2016 to infect targets in Russia, China, Iran, and Vietnam.

CosmicStrand has been discovered on devices with specific motherboards from ASUS and Gigabyte. However, the researchers are still puzzled about how the adversaries obtained access to their targeted machines and how they infiltrated the motherboard development.

 

The analysts emphasised that the CosmicStrand malware has been an elusive entity, making it challenging to analyse its capabilities.

 

They also added that the malware has a lengthy and unique execution attack chain to compromise Windows devices with a kernel-mode payload while remaining undetected.

The malware can also establish persistence inside an infected system if staying in the target’s machine is practical for the threat actors. The UEFI software also interfaces between the Operating System of a device and firmware, giving the minimum level of control over particular hardware of a machine.

In addition, the UEFI code and tool are the first to initiate during a computer’s initial start-up (boot) sequence, preceding the operation system and any available security products. Suppose malware is injected into the UEFI firmware image. In that case, reinstalling the operating system or replacing the storage drive will make it more difficult to spot and delete from the machine.

UEFI rootkits are rare and can only be seen by many in highly targeted and prioritised cyber-attacks. This type of malicious malware is exclusively designed by its authors to infect computers at the most standard level and ensures that a computer stays infected for an extended period.

These infections can deflect any countermeasure, such as reinstallation of the operating system or the user replacing the device’s hard drive. CosmicStrand is the second UEFI-based malware rootkit variant discovered in 2020, following the discovery of MoonBounce in the first month of this year.

About the author

Leave a Reply