{"id":45017,"date":"2022-07-26T13:10:51","date_gmt":"2022-07-26T17:10:51","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=45017"},"modified":"2022-07-26T13:10:51","modified_gmt":"2022-07-26T17:10:51","slug":"cosmicstrand-uefi-rootkit","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/45017\/","title":{"rendered":"CosmicStrand: a UEFI rootkit"},"content":{"rendered":"

Our researchers examined a new version of the CosmicStrand rootkit<\/a>, which they found in modified UEFI<\/a> (Unified Extensible Firmware Interface) firmware \u2014 the code that loads first and initiates the OS boot process when the computer is turned on.<\/p>\n

The danger of UEFI malware<\/h2>\n

Since UEFI firmware is embedded in a chip on the motherboard and not written to the hard drive, it is immune to any hard drive manipulations. Therefore, it is very difficult to get rid of UEFI-based malware: even wiping the drive and reinstalling the operating system will not touch UEFI. For this same reason, not all security solutions can detect malware hidden in UEFI. Simply put, once malware has made its way into the firmware, it is there to stay.<\/p>\n

Of course, infecting UEFI is no simple task: this requires either physical access to the device, or some sophisticated mechanism for remote infection of the firmware. What\u2019s more, to achieve its ultimate goal, whatever that may be, the malware not only has to reside in UEFI, but penetrate the operating system at startup, which is nothing if not tricky. All this requires great effort to pull off, which is why such malware is most often seen in targeted attacks against high-profile individuals or organizations.<\/p>\n

Victims and possible infection vectors of CosmicStrand<\/h2>\n

Oddly enough, the CosmicStrand victims identified by our researchers were ordinary people using our free antivirus. They seemingly had nothing to do with any organization of interest to attackers of this caliber. It also turned out that the motherboards infected in all known cases came from just two manufacturers. Therefore, it is likely that the attackers found some common vulnerability in these motherboards that made UEFI infection possible.<\/p>\n

It is unknown how exactly the cybercriminals managed to deliver the malware. The fact that these CosmicStrand victims were small fries may indicate that the attackers behind this rootkit can infect UEFI remotely. But there are other possible explanations: for example, experts at Qihoo 360, having investigated early versions of CosmicStrand of 2016 vintage, suggested<\/a> that one of the victims had purchased a modified motherboard from a reseller. But in this case, our experts were unable to confirm the use of any given infection method.<\/p>\n

What CosmicStrand does<\/h2>\n

The main purpose of CosmicStrand is to download a malicious program at operating system startup, which then performs the tasks set by the attackers. Having successfully passed through all stages of the OS boot process, the rootkit eventually runs a shell code and contacts the attackers\u2019 C2 server<\/a>, from which it receives a malicious payload.<\/p>\n

\"CosmicStrand<\/a><\/p>\n

Our researchers could not intercept the file received by the rootkit from its C2 server. Instead, on one of the infected machines, they found a piece of malware that is likely related to CosmicStrand. This malware creates a user named \u201caaaabbbb\u201d in the operating system with a local administrator rights. For more technical details about CosmicStrand, see our researchers\u2019 post on Securelist<\/a>.<\/p>\n

Should we fear rootkits?<\/h2>\n

Since 2016, CosmicStrand has been serving cybercriminals well, attracting little or no attention from infosec researchers. That\u2019s worrying, of course, but it\u2019s not all bad. First, this is an example of sophisticated, expensive malware used for targeted, not mass, attacks \u2014 even if seemingly random people sometimes get hit. Second, there are security products able to detect such malware. For example, our security solutions<\/a> protect our users from rootkits.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Our experts discovered a fresh version of CosmicStrand, a rootkit that hides from researchers in the UEFI firmware.<\/p>\n","protected":false},"author":2477,"featured_media":45020,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2683],"tags":[4359,605,913,422,3685],"class_list":{"0":"post-45017","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-cosmicstrand","9":"tag-great","10":"tag-rootkit","11":"tag-threats","12":"tag-uefi"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/45017\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cosmicstrand-uefi-rootkit\/24412\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/19878\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/10046\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/26807\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cosmicstrand-uefi-rootkit\/24713\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/cosmicstrand-uefi-rootkit\/25108\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/cosmicstrand-uefi-rootkit\/27453\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/cosmicstrand-uefi-rootkit\/27118\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cosmicstrand-uefi-rootkit\/33702\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/cosmicstrand-uefi-rootkit\/10893\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/cosmicstrand-uefi-rootkit\/19233\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/cosmicstrand-uefi-rootkit\/19787\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/cosmicstrand-uefi-rootkit\/29085\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cosmicstrand-uefi-rootkit\/25300\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cosmicstrand-uefi-rootkit\/30778\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cosmicstrand-uefi-rootkit\/30524\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/rootkit\/","name":"rootkit"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/45017","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2477"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=45017"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/45017\/revisions"}],"predecessor-version":[{"id":45023,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/45017\/revisions\/45023"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/45020"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=45017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=45017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=45017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}