A sophisticated rootkit that's able to insert itself into the lowest levels of Windows computers -- the motherboard firmware -- has been making victims since 2020 after disappearing from the radar for around three years.
The rootkit, dubbed CosmicStrand by researchers from Kaspersky Lab, is stealthy and highly persistent since its code is stored deep in the UEFI, outside the detection scope of most security programs.
The Unified Extensible Firmware Interface (UEFI) is the modern equivalent to the BIOS. It's the firmware that contains the necessary drivers to initialise and configure all hardware components of a computer before the main operating system starts and takes over. While BIOS rootkits used to be a relatively common occurrence many years ago, the UEFI has better security protections, so UEFI malware is relatively rare.
What is CosmicStrand?
The CosmicStrand rootkit originally appeared in 2016 and made victims well into 2017, when it was documented by researchers from Chinese cybersecurity firm Qihoo360. It then seemed to have dropped off the radar until recently when researchers from Kaspersky Lab detected new variants and victims in China, Vietnam, Iran and Russia.
"Based on our analysis of the infrastructure used for the two variants, we estimate that the older one saw use between the end of 2016 and mid-2017, and the current one was active in 2020," the Kaspersky researchers said in a report released this week.
Both variants were found in firmware images from Gigabyte or ASUS motherboards, particularly those based on the Intel H81 chipset, suggesting there's a potentially exploitable vulnerability in the UEFI builds used by those motherboards. However, the researchers were unable to confirm how the implant is delivered.
If a vulnerability exists, its exploitation likely requires local access to the computer, for example through another malware program running inside the operating system that would then overwrite or patch the UEFI.
The presence of a vulnerability in the firmware would not be unusual, especially considering the age of the affected motherboards -- the H81 chipset was launched in late 2013 and supports 4th generation Intel CPUs (Haswell).
Since 2013, many vulnerabilities have been discovered in UEFI implementations across different vendors and firmware security didn't get the same level of scrutiny from manufacturers as today.
Another possibility for deploying the CosmicStrand rootkit, which Qihoo360 mentioned back in 2017, is package interdiction -- the malicious modification of products somewhere in the supply chain, whether that's on the factory floor or later at a distributor or seller.
CosmicStrand is used as a long-term persistence mechanism because UEFI code survives OS reboots and even OS reinstallations and hard disk wipes. The only way to remove it is to reflash the UEFI, which is stored in its own dedicated SPI flash memory chip.
Once deployed on a system, CosmicStrand injects malicious code into the Windows kernel during the OS booting process and then deploys an OS-level malicious component downloaded from a command-and-control (C2) server.
How CosmicStrand works
In the UEFI, CosmicStrand is deployed as a maliciously modified (patched) variant of a legitimate EFI driver called CSMCORE. This driver normally facilitates the booting of the machine in legacy mode via MBR (master boot record) instead of the more modern GPT partition style which uses a dedicated boot partition.
The attackers modify the pointer to the HandleProtocol boot service function so that every time this function in the driver is called, it executes their malicious code first. This choice is not by accident and is vital to the infection chain.
The problem with storing code in UEFI is that it stops running once execution is passed to the OS. UEFI drivers are essentially a bridge needed in the early stages of a computer's start-up routine until the OS takes over and starts communicating directly to the initialised hardware components.
So, the attackers need a way to keep pushing their malicious code through the various stages of the boot process. These stages include the bootloader code, the Windows kernel loader, and ultimately the Windows kernel.
By hooking the HandleProtocol function, the attackers ensure their code is executed at a time when the bootloader code has been loaded into memory but hasn't been started yet. This allows them to modify another function from the bootloader called Archpx64TransferTo64BitApplicationAsm. This function is called later when the Windows loader is loaded into memory.
When that happens, the malicious code modifies (hooks) another function, this time in the Windows loader, called OslArchTransferToKernel. As the name implies, this function passes execution to the Windows kernel and the modification ensures this happens by executing the attacker code first. As expected, the next step is to inject code into the Windows kernel itself.
"Before the Windows kernel has had a chance to run, CosmicStrand sets up yet another hook in the ZwCreateSection," the Kaspersky researchers explained.
"Malicious code is copied into the image of ntoskrnl.exe in memory, and the first bytes of ZwCreateSection are overwritten to redirect to it. We note that the attackers were careful to place the malicious code inside the slack space of ntoskrnl.exe’s .text section, which makes this redirection a lot less conspicuous in the eyes of possible security products."
The kernel hook also includes code that attempts to disable PatchGuard, a Windows security mechanism that tries to prevent rogue modifications of the kernel code. It also allocates memory space for additional shellcode.
The kernel implant
Once it establishes execution in the Windows kernel, the CosmicStrand code waits for 10 minutes to allow other Windows components to start and then tests the computer's internet connectivity. It does this by talking directly to the Transport Device Interface instead of using the Windows kernel networking API functions that might be monitored by security products.
The implant then establishes a connection to its C2 server from where it downloads code in chunks of 528 bytes to reassemble into shellcode and load it into the kernel.
"Unfortunately, we were not able to obtain a copy of data coming from the C2 server," the researchers said. "We did, however, find a user-mode sample in-memory on one of the infected machines we could study, and believe it is linked with CosmicStrand. This sample is an executable that runs command lines in order to create a user (“aaaabbbb”) on the victim’s machine and add it to the local administrators group."
The presence of this user-mode component suggests that the shellcode downloaded from the C2 serves as a stager for multiple implants delivered as PE executables and the researchers suspect there might be more of them with different functionalities.
Rootkit origin and victims
While the researchers were not able to definitively link CosmicStrand to a particular threat actor, they found similar code patterns to the MyKings botnet, which is believed to be of Chinese origin and was used in 2020 to deliver cryptominers.
This suggests that CosmicStrand was also created by a Chinese-speaking threat actor or one that has access to malware resources shared among Chinese threat groups.
The victims identified so far were based in China, Vietnam, Iran and Russia and appear to be private individuals rather than organisations from particular industry sectors. However, Kaspersky only has visibility from users of its own products, so additional victims might exist around the world, especially since it's not easy to detect CosmicStrand implants and the attackers behind it are careful with victim selection.
"The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016 – long before UEFI attacks started being publicly described," the researchers said.
"This discovery begs a final question: If this is what the attackers were using back then, what are they using today? The multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."