New CosmicStrand rootkit targets Gigabyte and ASUS motherboards

Malware exists in several flavors. More often than not, malware consists of malicious information saved in computer systems working programs, identical to another file, and operating as software program with or with out excessive privileges. When discovered, they typically could be simply deleted from the file system or eliminated when the working system is being reinstalled. Nonetheless, rootkits are but completely different malware.

What are rootkits?

Rootkits are designed to offer entry to a pc and probably masks different malicious software program operating on it. Some rootkits additionally don’t reside within the traditional file system from the working system, however somewhere else, like firmware. Rootkits usually additionally run at kernel stage, as an alternative of the standard software program stage.

Such a bit of malware wants much more effort to be developed, in comparison with traditional malware, as a result of it faces many extra technical and programming challenges.

New analysis from Kaspersky exposes a rootkit dubbed CosmicStrand, which sits quietly within the Unified Extensible Firmware Interface (UEFI) of particular computer systems.

In line with Kaspersky, the rootkit is situated within the firmware photos of Gigabyte or ASUS motherboards. The contaminated firmware photos are associated to designs utilizing the H81 chipset, suggesting {that a} frequent vulnerability could exist, which allowed the attackers to inject the rootkit into the firmwares picture.

How does CosmicStrand work?

Affected firmware photos have been altered to run the malicious code at system startup. An extended execution chain is triggered to obtain and deploy malicious content material contained in the Home windows working programs kernel on the affected machine. The preliminary entry level for the firmware has been patched to redirect to code execution added within the .reloc part.

The firmware is being modified with an automatic patcher, in line with the researchers, which implies the attackers had prior entry to the sufferer’s pc with the intention to extract the firmware, inject the malicious code then overwrite the motherboard’s firmware.

Because the aim of this rootkit is to permit the operating of malicious code on the kernel stage of the working system, the an infection chain is very complicated, much more than for any traditional malware an infection. The UEFI code runs earlier than the Home windows system is loaded, which implies the attacker has to by some means discover a strategy to cross the malicious code to the working system earlier than it’s launched, whereas the UEFI code can have been terminated.

The attacker achieves this by setting a number of hooks in succession, permitting the malicious code to be executed after the working system has been launched (Determine A).

Determine A

In the course of the an infection chain, the rootkit takes care of disabling Kernel Patch Safety (KPP) , also called PatchGuard, a 64-bit Home windows safety mechanism stopping modifications in key buildings of the Home windows kernel in reminiscence.

On the finish of the working system boot, the CosmicStrand rootkit allocates a buffer within the kernel’s tackle area and maps a shellcode there, earlier than executing it.

SEE: Cell gadget safety coverage (TechRepublic Premium)

The kernel stage malicious payload

The shellcode run by the rootkit waits for a brand new thread in winlogon.exe after which executes a callback on this context, which is high-privileged. It then sleeps for 10 minutes earlier than testing web connectivity. That take a look at is finished by way of the Transport Machine Interface as an alternative of utilizing the standard high-level API capabilities, and sends a DNS request to Google’s DNS server or to a customized one situated in China.

If web connectivity is accessible, the shellcode retrieves the ultimate payload at a C2 server replace.bokts[.]com. The payload is predicted from CosmicStrand to be acquired in chunks of 528 bytes following a specific construction, in all probability to defeat automated evaluation instruments.

That final payload couldn’t be retrieved by Kaspersky, however the researchers as an alternative discovered a user-mode pattern within the reminiscence of one of many contaminated computer systems they may analyze. That pattern, which is believed to be linked with CosmicStrand, creates a person named “aaaabbbb” on the focused machine and provides that person to the native directors group.

An extended-running menace focusing on people

Kaspersky found older variations of the rootkit that reached one other C2 server to acquire further shellcode. These older variations might need been used between the top of 2016 and mid-2017, whereas the most recent model was lively in 2020. An earlier model of the rootkit has additionally been analyzed by Qihoo360 in 2017.

Evaluation of information associated to each C2 servers discovered by the researchers point out that the domains had a protracted lifetime and resolved to completely different IP addresses throughout restricted timeframes, outdoors of which the rootkit would have been inoperative.

Relating to the targets of the CosmicStrand menace, Kaspersky famous that every one victims of their telemetry seem like personal people utilizing the free model of their product, situated in China, Vietnam, Iran and Russia.

Possible Chinese language menace actor

In line with Kaspersky, a number of information results in imagine that “CosmicStrand was developed by a Chinese language-speaking menace actor, or by leveraging frequent sources shared amongst Chinese language-speaking menace actors.”

MyKings botnet makes use of a lot of code patterns additionally noticed in CosmicStrand, which is believed to have been developed by Chinese language-speaking menace actors. Each threats additionally share similar tags when allocating reminiscence in kernel mode and generate community packets the identical manner. The API hashing code utilized in each can be similar and has solely been present in two different rootkits in line with Kaspersky, MoonBounce and xTalker, additionally tied to Chinese language-speaking menace actors.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

Methods to detect rootkits?

Rootkits are notably tough to detect, particularly after they use {hardware} capabilities which can be out of the working system, which is the case for the CosmicStrand rootkit.

Safety software program scanning pc exercise on the lowest ranges would possibly detect uncommon exercise from rootkits and efficiently detect it.

One other strategy to detect it’s by way of all programs that aren’t contaminated by the rootkit however linked to the identical community: it’s attainable to detect the malicious community exercise simply as for another piece of malware by utilizing Intrusion Detection Techniques/Prevention Detection Techniques (IDS/IPS).

If a pc is suspected of being operating an UEFI rootkit, incident responders would possibly examine the firmware for anomalies. A firmware that reveals a distinct hash than the one supplied by the seller might be compromised.

Lastly, it must be understood that even when malicious information are faraway from the Home windows working system, they are going to be reinstalled by the rootkit at each boot. A clear and secure model of the firmware must be put in to interchange the malicious one.

Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.