Researchers have made a major cybersecurity discovery – a malicious UEFI-based toolkit that has been used in the wild since 2016 to ensure computers remain infected even if the operating system is reinstalled or the hard drive is completely replaced.
Firmware hacks UEFI, the low-level and highly obfuscated series of firmware required to run almost every modern computer. As the software that links a computer’s firmware to its operating system, UEFI – short for Unified Extensible Firmware Interface – is an operating system in its own right. It is housed in an SPI-connected flash storage chip soldered to a computer’s motherboard, making the code difficult to scan or debug. Since it’s the first thing that runs when you turn on your computer, it affects the operating system, security applications, and all the following other programs.
Strange, yes. rare, no.
On Monday, Kaspersky researchers profiled CosmicStrand, the security company’s name for the cutting-edge UEFI root toolkit that the company discovered and obtained through its antivirus software. This discovery is among a few UEFI threats known to have been used in the wild. Until recently, researchers assumed that the technical requirements required to develop UEFI malware of this caliber put it beyond the reach of most threat actors. Now, with Kaspersky returning CosmicStrand to an unknown Chinese-speaking hacking group with possible links to the cryptominer malware, this type of malware may not be so rare at all.
“The most striking aspect of this report is that this UEFI implant appears to have been used in the wild since the end of 2016 – long before UEFI attacks began to be publicly described,” Kaspersky researchers wrote. “This discovery begs one last question: If this is what attackers were using at the time, what are they using today?”
While researchers from fellow security firm Qihoo360 reported an earlier version of the rootkit in 2017, Kaspersky and most other Western security companies didn’t notice. More recent Kaspersky research describes in detail how a rootkit — found in the firmware images of some Gigabyte or Asus motherboards — is able to hijack the boot process of infected devices. The technical underpinnings attest to the extent to which malware has evolved.
A rootkit is a piece of malware that works in the deepest areas of the operating system it infects. It reinforces this strategic position of hiding information about its existence from the operating system itself. Meanwhile, Bootkit is a malware that infects the device’s boot process in order to persist in the system. The successor to the legacy BIOS, UEFI is a technical standard that defines how components participate in the startup of an operating system. It is the most recent, as it was introduced around 2006. Today, almost all devices support UEFI when it comes to the boot process. The key point here is that when we say that something is happening at the UEFI level, it means that it happens when the computer starts up, before the operating system is even loaded. Whatever standard is used during this process is just an implementation detail, and in 2022, it will almost always be UEFI anyway.
In an email, Kaspersky researcher Ivan Kwiatkowski wrote:
So the rootkit may or may not be a bootkit, depending on where it is installed on the victim’s machine. The bootkit may or may not be a rootkit, as long as it infects a component used to start the system (but looking at the low level usually bootkits will usually be rootkits). And firmware is one of the components that can get infected with boot kits, but there are others as well. CosmicStrand happens to be all of these at the same time: it has rootkit capabilities and infects the boot process by malicious patching of motherboards’ firmware image.
The CosmicStrand workflow consists of placing ‘hooks’ at carefully selected points in the boot process. Hooks are modifications of the normal execution flow. They usually come in the form of additional code developed by the attacker, but in some cases, a legitimate user might inject code before or after a particular function to trigger a new one.
The CosmicStrand workflow looks like this:
- The infected initial firmware boots the entire chain.
- The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before executing it.
- By tampering with the operating system’s loader, attackers can setup another hook in one of the functions of the Windows kernel.
- When this function is called later during the normal startup procedure of the operating system, the malware controls the flow of execution one last time.
- It deploys shellcode in memory and connects to the C2 server to retrieve the actual malicious payload to run on the victim’s machine.