acm-header
Sign In

Communications of the ACM

ACM TechNews

Experts Uncover 'CosmicStrand' UEFI Firmware Rootkit Used by Chinese Hackers


Computer code on a green and black DOS-type screen

Kaspersky's attribution to a Chinese-speaking threat actor stems from code overlaps between CosmicStrand and other malware.

A new Unified Extensible Firmware Interface (UEFI) firmware rootkit called CosmicStrand, which resides in firmware images of Gigabyte or ASUS motherboards, has been attributed to to unknown Chinese-speaking hackers, according to researchers at the Kaspersky cybersecurity company. "We noticed that all these images are related to designs using the H81 chipset," said the researchers. "This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware's image."

Attacks aim to interfere with the operating system loading process to implement a kernel-level implant into a Windows machine whenever it is booted. It uses this access to launch shellcode that connects to a remote server to retrieve the malware to be deployed on the system. Researchers noted CosmicStrand appears to have been used in the wild since the end of 2016, before UEFI rootkit exploits began to be publicly detailed.

From The Hacker News
View Full Article

 

Abstracts Copyright © 2021 SmithBucklin, Washington, DC, USA


 

No entries found