Kaspersky experts have discovered a new example of a UEFI rootkit: CosmicStrand. At the moment, the CosmicStrand kit only targets private individuals and not companies. But that changes is only a matter of time.
Kaspersky experts have discovered a rootkit developed by an Advanced Persistent Threat (APT) actor that remains on the victim's computer even after the operating system is restarted or Windows is reinstalled. The UEFI firmware rootkit 'CosmicStrand' has so far been used mainly for attacks on private individuals in China, with some victims also located in Vietnam, Iran and Russia.
UEFI rootkits are persistent
UEFI firmware is a critical component found in the vast majority of hardware. Your code is responsible for booting up a device and starting the software component that loads the operating system. If attackers manage to place malicious code in the UEFI firmware, that code will launch before the operating system, which may prevent security solutions from detecting its activity and thus failing to protect the operating system. This, plus the fact that the firmware resides on a separate chip from the hard drive, makes UEFI firmware attacks particularly difficult to detect and exceptionally persistent. Because no matter how many times the operating system is reinstalled, the malware stays on the device.
Old CosmicStrand rediscovered
CosmicStrand is the latest discovery of a UEFI firmware rootkit by Kaspersky experts; it is attributed to a previously unknown Chinese-speaking APT actor. While the actual target of the attackers is not yet known, the researchers noted that the firmware only targets individuals and not the usual corporations. All of the compromised computers were Windows-based: every time a computer was restarted, malicious code ran after Windows started, the purpose of which was to connect to a C2 (Command-and-Control) server and run an additional malicious executable to download.
Kaspersky experts have not yet been able to identify how the rootkit got onto the infected computers, but unconfirmed accounts discovered online suggest that some users may have received compromised devices when ordering hardware components online. It is also interesting to note that the CosmicStrand UEFI implant has arguably been used in the wild since late 2016 - long before UEFI attacks were even publicly described.
CosmicStrand surfaced back in 2016
"Although the CosmicStrand UEFI firmware rootkit was only recently discovered, it appears to have been around for quite some time. This suggests that some threat actors have very advanced capabilities that ensured the firmware was able to go undetected for so long. We now have to wonder what new tools they have developed in the meantime that we have yet to discover,” comments Ivan Kwiatkowski, Senior Security Researcher at Kaspersky's Global Research and Analysis Team.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/