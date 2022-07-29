Malware CosmicStrand is a UEFI rootkit capable of operating before Windows boots

Kaspersky, a company dedicated to the development of security software against malware, ransomware and spyware, released information about the presence of a new and sophisticated malware: CosmicStrand. The virus is a UEFI rootkit (Unified Extensible Firmware Interface) able to kick in before the Windows OS loads. It was found on Asus and Gigabyte motherboards, in countries like Russia, China, Vietnam and Iran.

Malware does not contaminates Windows directly, but the motherboard firmware – that’s why it’s called rootkit. This makes it difficult to detect and remove CosmicStrand. So not even formatting the computer would solve the problem. It acts in a sophisticated and unusual way as it is tied to UEFI, which connects the operating system to the computer’s hardware. That way, as soon as the PC is turned on, the UEFI goes into operation and along with it, the CosmicStrand.

CosmicStrand Malware

Karspersky points out that CosmicStrand has been active since 2020. The malware is able to modify the flow of the PC boot process by accessing Windows kernel resources. This enables the process of capturing sensitive data, in addition to running other malicious software.

When turning on the PC, CosmicStrand is able to execute a number of bytes in the file ‘Archpx64TransferTo64BitApplicationAsm’. Its initialization occurs by modifying a legitimate driver called CSMCORE. When starting this process, the HandleProtocol function is activated, responsible for performing a series of checks during the boot from the PC. When the Windows OS kicks in, the ‘Archpx64TransferTo64BitApplicationAsm’ kicks in and this results in a cascade of operations that infect the Windows Kernel.

– Continues after advertising –

The cybersecurity firm points out that the virus is related to a group in China, which controls the cryptocurrency mining botnet MyKings. This points to a link between the presence of the virus and machines used for mining. CosmicStrand’s presence in countries such as China, Russia, Vietnam and Iran also reinforces this link.

so far the Karsperky could not identify how CosmicStrand infects the computer. After all, because it is a UEFI rootkit, physical access to the machine is the logical way to infect the firmware with malware. The main possibility is that the compromised ASUS and Gygabyte motherboards were contaminated by some reseller, but there is no evidence for such accusations.

…..

Thinking about buying a product online? Discover the Adrenaline Save extension for Google Chrome. It is free and offers you price comparisons at major stores and coupons so you can always buy at the best price. Download now.

Source: ArsTechnica, Karspersky