Researchers have unpacked a major cybersecurity find—a malicious UEFI-based rootkit used in the wild since 2016 to ensure computers remained infected even if an operating system is reinstalled or a hard drive is completely replaced.
The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC’s device firmware with its operating system, the UEFI—short for Unified Extensible Firmware Interface—is an OS in its own right. It’s located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it’s the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.
Exotic, yes. Rare, no.
On Monday, researchers from Kaspersky profiled CosmicStrand, the security firm’s name for a sophisticated UEFI rootkit that the company detected and obtained through its antivirus software. The find is among only a handful of such UEFI threats known to have been used in the wild. Until recently, researchers assumed that the technical demands required to develop UEFI malware of this caliber put it out of reach of most threat actors. Now, with Kaspersky attributing CosmicStrand to an unknown Chinese-speaking hacking group with possible ties to cryptominer malware, this type of malware may not be so rare after all.
“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described,” Kaspersky researchers wrote. “This discovery begs a final question: If this is what the attackers were using back then, what are they using today?”
While researchers from fellow security firm Qihoo360 reported on an earlier variant of the rootkit in 2017, Kaspersky and most other Western-based security firms didn’t take notice. Kaspersky’s newer research describes in detail how the rootkit—found in firmware images of some Gigabyte or Asus motherboards—is able to hijack the boot process of infected machines. The technical underpinnings attest to the sophistication of the malware.
A rootkit is a piece of malware that runs in the deepest regions of the operating system it infects. It leverages this strategic position to hide information about its presence from the operating system itself. A bootkit, meanwhile, is malware that infects the boot process of a machine in order to persist on the system. The successor to legacy BIOS, UEFI is a technical standard defining how components can participate in the startup of an OS. It’s the most “recent” one, as it was introduced around 2006. Today, almost all devices support UEFI when it comes to the boot process. The key point here is that when we say something takes place at the UEFI level, it means that it happens when the computer is starting up, before the operating system has even been loaded. Whatever standard is being used during that process is only an implementation detail, and in 2022, it will almost always be UEFI anyway.
In an email, Kaspersky researcher Ivan Kwiatkowski wrote:
So a rootkit may or may not be a bootkit, depending on where it is installed on the victim’s machine. A bootkit may or may not be a rootkit, as long as it infected a component used for the system startup (but considering how low-level these usually are, bootkits will usually be rootkits). And firmware is one of the components which can be infected by bootkits, but there are others, too. CosmicStrand happens to be all of these at the same time: It has the stealthy rootkit capabilities and infects the boot process through malicious patching of the firmware image of motherboards.
The workflow of CosmicStrand consists of setting “hooks” at carefully selected points in the boot process. Hooks are modifications to the normal execution flow. They usually come in the form of additional code developed by the attacker, but in some cases, a legitimate user may inject code before or after a particular function to bring about new functionality.
The CosmicStrand workflow looks like this:
- The initial infected firmware bootstraps the whole chain.
- The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before it is executed.
- By tampering with the OS loader, the attackers are able to set up another hook in a function of the Windows kernel.
- When that function is later called during the normal startup procedure of the OS, the malware takes control of the execution flow one last time.
- It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.