CosmicStrand UEFI Rootkit From China Exposes Gaping Holes in Firmware Security


Researchers at Kaspersky have uncovered a new UEFI rootkit active since 2020 in ASUS and Gigabyte motherboards. Called CosmicStrand, the sophisticated rootkit is attributed to an unknown Chinese-speaking threat actor. It is stealthy and persistent, meaning you wouldn’t know if your machine is compromised, and even if you do, there isn’t a lot you can do to fix it, not yet anyway.

Although CosmicStrand dates to 2020, an earlier version of a similar rootkit, called Spy Shadow Trojan (discovered by Qihoo), existed from late 2016 to mid-2017.

CosmicStrand is specific to those motherboards by ASUS and Gigabyte that are designed with the H81 chipset. Kaspersky’s Global Research & Analysis (GReAT) Team opined that a common, pre-existing vulnerability may have allowed the unknown hacker to inject their rootkit into the firmware’s image.

“Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware,” the GReAT team said.

“This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario).” Kaspersky was unable to confirm Qihoo’s theory that the hacker used a backdoored motherboard obtained from a second-hand reseller to infect the firmware rootkit.

The prevalence of rootkits as a security threat is a recent but worrisome phenomenon because they are, by design, malware that can be embedded in the firmware of the device. CosmicStrand, for instance, is designed as a Unified Extensible Firmware Interface (UEFI) infection, the first thing invoked when the firmware loads in the computer upon being turned on.

UEFI is thus a set of rules and the successor to BIOS that links the hardware firmware and the operating system and is leveraged in most present-day computers. As such, the UEFI is not often inspected for code integrity and other issues.

A UEFI rootkit that hides in the firmware of a device can remain hidden for extended periods. It is a persistent threat because it cannot be removed if the OS is reinstalled or if the hard disk is wiped and replaced.

The rootkit is highly sophisticated and measures just 96.84 kilobytes. “The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described,” Kaspersky noted. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”

See More: Log4Shell Flaw Declared an Endemic, but Remains a Significant Threat for Organizations

CosmicStrand rootkit UEFI implant execution chain through the Windows boot process

CosmicStrand’s goal, according to Kaspersky’s GReAT Team, is to deploy a kernel-level implant into a Windows system every time it boots, starting from an infected UEFI component. Considering CosmicStrand is a UEFI rootkit deployed as a malicious code through the authentic EFI driver known as CSMCORE DXE, it loads even before the OS is loaded into memory.

CSMCORE DXE enables users to boot the OS in legacy mode through Master Boot Record (MBR) while the more recent GUID Partition Table (GPT) catches up. The developer of CosmicStrand successfully tampered with CSMCORE DXE to allow the rootkit to continue executing through the multiple boot stages, even after UEFI stops running.

CosmicStrand is executed throughout the Windows boot process: boot manager (bootloader code), the Windows OS loader (early kernel initialization), and the Windows kernel (full kernel initialization). During execution, the rootkit sets up hooks across various points to modify each successive step in the boot process. This is how it manages to transition into the OS.

“Finding a way to pass down malicious code all the way through the various startup phases is the main task that the rootkit accomplishes,” Kaspersky said.

Before the kernel is loaded, the rootkit successfully copies malicious code in the ntoskrnl.exe (Windows NT Operating System Kernel Executable) image, which contains the cache manager, executive, security reference monitor, memory manager, scheduler, etc.

This allows CosmicStrand to gain hold of the execution once the Windows NT kernel starts and disable the PatchGuard, which is specifically designed to prevent any modifications in the Windows NT kernel.

CosmicStrand UEFI Rootkit Execution Chain | Source: KasperskyOpens a new window  

See More: New Ducktail Malware Can Bypass Facebook Account Safeguards

CosmicStrand rootkit kernel implant

“All the steps described so far only served the purpose of propagating code execution from the UEFI down to the Windows kernel. This shellcode is the first actually malicious component of the chain so far,” Kaspersky added.

“It sets up a thread notify routine that gets invoked each time a new thread is created. CosmicStrand waits until one turns up in winlogon.exe, and then executes a callback in this high-privilege context.” In simple words, the rootkit establishes execution in the kernel.

Here, CosmicStrand is designed to sleep for ten minutes before it begins to test the internet connectivity. To remain hidden, the rootkit avoids the Windows kernel networking API functions that could sound the alarm. Instead, it checks for internet connection using the Transport Device Interface.

CosmicStrand then establishes a connection to its command and control (C2) server, where it requests for and downloads additional payload in chunks of 528 bytes. These payloads are then reassembled into shellcode and loaded into the kernel.

“Unfortunately, we were not able to obtain a copy of data coming from the C2 server. We did, however, find a user-mode sample in-memory on one of the infected machines we could study, and believe it is linked with CosmicStrand. This sample is an executable that runs command lines in order to create a user (“aaaabbbb”) on the victim’s machine and add it to the local administrators group,” Kaspersky explained.

Kaspersky researchers believe that there can be many different shellcodes in the C2 server, each with a different function.

The CosmicStrand rootkit is a glaring example of the necessity of either giving users read-only privileges for the firmware or installing a physical switch for the BIOS/UEFI. However, a read-only firmware or a physical switch could disallow updates and any necessary patching for any bugs/vulnerabilities.

It is unclear if the threat of CosmicStrand UEFI rootkit can be eliminated by reflashing the firmware, whether through a Windows program or a pre-boot firmware interface.

Victims of CosmicStrand are private individuals from China, Vietnam, Iran, and Russia and have no ties to any organization or even industry vertical.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!