Even if an operating system is reinstalled or a hard drive is completely replaced, a malicious UEFI-based rootkit can still be found in the wild, according to researchers.
The low level and highly opaque chain of firmware required to boot up nearly every modern computer has been compromised by the firmware. The software that bridges a PC's device firmware with its operating system is called the UEFI. It's difficult to inspect or patch the code because it's located in a flash storage chip on the computer board. It influences the OS, security apps, and all other software when a computer is turned on.
CosmicStrand, the security firm's name for a sophisticated rootkit, was profiled on Monday by researchers from Kaspersky. The find is part of a small group of such threats that have been used in the wild. Until recently, researchers assumed that the technical demands required to develop UEFI would make it hard for most threat actors to get it. CosmicStrand may not be so rare now that it has been attributed to a Chinese hacking group.
The most striking aspect of this report is that this implant seems to have been used in the wild since the end of 2016 and before the public knew about it. If this is what the attackers were using in the past, what are they using now?
AdvertisementKaspersky and most other Western-based security firms didn't take notice of the earlier variant of the rootkit that was reported by researchers from other security firms The research shows how the rootkit can hijack the boot process of infections. The technical underpinning attests to the sophistication of the software.
A piece of software that runs in the deepest parts of the operating system is called a rootkit. Information about its presence in the operating system is hidden from the public. A boot kit is a piece of software that can cause a machine to fail. UEFI is a technical standard defining how components can participate in the startup of an operating system. Around 2006 it was introduced. The boot process is supported by almost all devices today. When we say something happens at the UEFI level, it means that it happens before the operating system has even been loaded. Whatever standard is being used during that process is only an implementation detail and will be used again in 2022.
Ivan Kwiatowski wrote in an email.
So a rootkit may or may not be a bootkit, depending on where it is installed on the victim’s machine. A bootkit may or may not be a rootkit, as long as it infected a component used for the system startup (but considering how low-level these usually are, bootkits will usually be rootkits). And firmware is one of the components which can be infected by bootkits, but there are others, too. CosmicStrand happens to be all of these at the same time: It has the stealthy rootkit capabilities and infects the boot process through malicious patching of the firmware image of motherboards.
Hooks are set at selected points in the boot process. There are hooks that modify the execution flow. In some cases, a legitimate user may inject code before or after a particular function to bring about newFunctionality, but they usually come in the form of additional code developed by the attacker.
The CosmicStrand is similar to this.
- The initial infected firmware bootstraps the whole chain.
- The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before it is executed.
- By tampering with the OS loader, the attackers are able to set up another hook in a function of the Windows kernel.
- When that function is later called during the normal startup procedure of the OS, the malware takes control of the execution flow one last time.
- It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.
All Rights Reserved © 2024
