By Mary Grlic
Researchers recently uncovered a major security concern: a UEFI-based rootkit virus. Coined “CosmicStrand” by cybersecurity company Kaspersky, the rootkit can implant viruses on the most basic software of a computer (UEFI). This makes it extremely difficult to protect devices or access the root of the malware itself. These sorts of attacks are especially harmful to devices – but why? How can the CosmicStrand affect computers, and what is the future of rootkit malware?
What is a Rootkit Virus?
A rootkit virus is a type of malware that runs in the deepest parts of the operating system. Hackers use this software to gain complete control of a device or network. This is a very dangerous type of malware that hackers use to gain persistent access. It is especially harmful because device users may not even be able to see it.
What is UEFI?
The UEFI – Unified Extensible Firmware Interface – is the low-level software that boots up a computer. It is in a flash storage chip on the device’s motherboard. This makes it difficult to inspect the code. The UEFI is the first software that runs when the computer turns on, influencing the operating system and applications that follow.
UEFI Rootkit Goes a Step Further
A UEFI-based rootkit is a major threat. Because UEFI is practically the base of the computer’s operation, any malware or damage done in this state will be detrimental to the device. Even after a complete reinstallation of the operating system or hard drive, the device will still be infected with any UEFI-based malware. A UEFI-based rootkit is also extremely difficult to detect.
Kaspersky researchers identified a UEFI rootkit called CosmicStrand in a recent report published July 25, 2022. They attribute the rootkit to an unknown Chinese-speaking threat actor. One of Kaspersky’s industry partners, Qihoo360, also shared a blog post about an early variant of CosmicStrand back in 2017. These instances are among the very handful of such UEFI cyberthreats (that researchers know of). Kaspersky researchers concluded that these sorts of UEFI implants have been around since the end of 2016 and into 2017, meaning that they have practically gone unannounced for years. Now, in 2022, these attacks are even more high-tech, leading researchers at Kaspersky to question “what are they using today?”
How the CosmicStrand Virus Works
CosmicStrand infects devices through the following processes, as directly stated from Kaspersky’s recent report:
- The initial infected firmware bootstraps the whole chain.
- The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before execution.
- By tampering with the OS (operating system) loader, the attackers are able to set up another hook in a function of the Windows kernel.
- When that function is later called during the normal startup procedure of the OS, the malware takes control of the execution flow one last time.
- It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.
The entire procedure is basically a set of strategic “hooks” in various parts of the boot process. The malicious code can continue to run until after the operating system starts up. The rootkit firmware first “hooks” onto the EFI Boot Services and then transfers so that it can load into Windows. Since the virus attacks at the “root,” it will run through the device’s operating system and will eventually run the machine.
Step by Step of CosmicStrand
The entire chain starts with an EFI driver. It looks like a legitimate version named CSMCORE, which facilitates the boot of a device in legacy via the Master Boot Record (MBR). Attackers pointed this to Handle Protocol boot service, which when called, redirects to the attacker’s code and specific bytes.
At this point, “the boot manager is loaded in memory but isn’t yet running,” according to Kaspersky researchers. “CosmicStrand seizes this chance to patch a number of bytes in its Archpx64TransferTo64BitApplicationAsm.” The Windows operating system boots up and calls the function. Since the OS is now in memory, the code can make modifications.
The transfer to bit application then looks for a specific byte pattern from the operating system’s loader (OslArchtrasnferToKernel) and adds a hook at the end of it. Then, “OslArchTransfersToKernel is called just before execution is transferred from the Windows loader to the Windows kernel, which makes it a traditional hooking point for rootkits of that sort,” as Kaspersky researchers stated.
CosmicStrand then sets up another hook in the ZwCreateSection. Malicious code is copied into the memory and other bytes are redirected to it. The attackers specifically place the malicious code in the “ntoskrnl.exe” text section because it is not as visible to any security agents or virus protection software.
After that, the rootkit seems to disable Kernel Patch Protection (KPP, also known as PatchGuard), which is a security mechanism meant to prevent any changes to the Windows kernel. When the kernel starts, it calls the ZwCreateSection function like normal, which now has the malicious code. CosmicStrand restores original code and then runs even more malicious code.
Are you Safe: What Devices can the Rootkit Affect?
According to researchers at Kaspersky, “the rootkit is located in the firmware images of Gigabyte or ASUS motherboards” and may be related to designs that use the H81 chipset. There may be some sort of vulnerability within the firmware of these devices. Firmware images obtained by Kaspersky show that modifications are first introduced in the CSMCORE DXE driver.
Older UEFI Rootkit Viruses
Researchers estimate that attackers used similar variants back in 2016 and 2017. The report discusses the discovery of older versions of CosmicStrand, which features the same deployment process. They also detected the rootkit running on devices located in China, Vietnam, Iran, and Russia. All of these devices had Kaspersky’s free product installed and running, perhaps suggesting that they might be a target for this rootkit.
Kaspersky also found similarities between the code patterns in CosmicStrand and the MyKings botnet. Sophos documented MyKings in 2020, which allowed attackers to break into servers and install crypto mining software. Like CosmicStrand, MyKings uses the MBR rootkit, calls with similar tags, and generates network packets the same way. Kaspersky also founded other UEFI rootkits: FinSpy (2020), MosaicRegressor (2021), and Moonbounce (2022). Software company ESET identified LoJax (2018) and ESpector (2021). CosmicStrand was first seen in 2017 by Qihoo360 and is now being spotted again by Kaspersky. While the tech industry only knows of a few rootkit attacks to date, everyone must address them. The danger of these rootkits are paramount. If the industry continues to turn a blind eye to them, who knows what will be attacked next.
UEFI-based rootkit viruses are persistent and attack the very basic firmware of computers. They are both difficult to identify and get rid of, making them a huge cyberthreat. CosmicStrand attacks UEFI and can compromise an entire system. It may be hard to defend against UEFI attacks, but everyone should make their best efforts to prevent these threats. CTOs (chief technical officers) or your managed IT service provider should react by assessing the vulnerabilities of UEFI security or inspecting UEFI firmware with an endpoint security product. Regardless of how common or uncommon these sorts of attacks become in the next few years, they are a huge threat to any device.
To Read Kaspersky’s Full Report: CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit | Securelist