Security researchers at cybersecurity company Kaspersky have found a threat actor that is virtually undetected in the firmware images of some motherboards. It is called CosmicStrand UEFI, which is particularly used by the Chinese-speaking hackers.
Earlier, malware analysts at Qihoo360 discovered a variant of this malware and called it Spy Shadow Trojan, according to The Tech Outlook.
Researchers discovered the malware on machines having ASUS and Gigabyte motherboards. However, it is not known how the threat actor managed to inject it into the firmware images.
UEFI Malware Found in Motherboards
According to the BleepingComputer, the Unified Extensible Firmware Interface (UEFI) is the software that "connects the computer's operating system with the firmware of the underlying hardware."
A firmware provide low-level control for a device's specific hardware, as per The Tech Outlook.
During a computer's booting sequence, the UEFI code is the first to run. It runs even before the operating system and the security solutions available in the computer.
The malware injected in the UEFI firmware image is difficult to detect. Moreover, it is also extremely tenacious because it will continue to be present even after you reinstalled the operating system or you replaced the storage drive.
According to Mark Lechtik, a former Kaspersky reverse engineer, who is now at Mandiant and was involved in the research, "the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process."
While the CosmicStrand UEFI version that Kaspersky found out is more recent, Qihoo360 researchers disclosed the details about an early variant of the malware in 2017
The report of the Qihoo360 researchers stated that the compromised system is powered by a second-hand ASUS motherboard bought from an online store.
Meanwhile, Kaspersky identified that the CosmicStrand UEFI malware was entered in firmware images of Gigabyte or ASUS motherboards using the H81 chipset.
The H81 chipset is an old hardware between 2013 to 2015. It is mostly discontinued today.
The objective of injecting the threat actor to the firmware images is unclear as victims, who are private individuals in China, Iran, Vietnam, and Russia, provide few clues only.
Read Also: Windows 11 AMD Bug Causes Slow Performance: How to Fix Major Issue
The UEFI Attack is Becoming Extensive
The first extensive report of a UEFI malware came to light in 2018 from ESET. The malware was employed in attacks by Russian hackers in the APT28 group or also known as Sednit, Fancy Bear, Sofacy.
Records of UEFI malware attacks in the wild have become more frequent after almost four years later.
Kaspersky talked about MosaicRegressor in 2020, however, it was already used in attacks against non-governmental organizations in 2019.
TrickBot developers made TrickBoot at the end of 2020. It is "a new module that checked compromised machines for UEFI vulnerabilities," according to the Bleeping Computer.
In late 2021, another UEFI malware was unveiled. It was created by the Gamma Group and it was included in their FinFisher surveillance solution.
In 2021 as well, ESET released details about another bootkit called ESPecter. The bootkit is believed to be made primarily for espionage.
One of the most advanced UEFI firmware implants known as MoonBounce, was revealed in January. It is being used by Winnti, a Chinese-speaking hacker group that is also known as APT41.
Related Article: SysJoker Malware Can Damage Your Windows, Mac PC: Warning Signs, How to Remove If You're Attacked
