July 27, 2022

Kaspersky researchers on Monday uncovered CosmicStrand, a sophisticated UEFI rootkit that the company discovered through its antivirus software.

The malicious Unified Extensible Firmware Interface (UEFI) rootkit has been exploited by attackers in the wild since 2016. Researchers linked the malware to an unknown Chinese-speaking hacking group that has possible links to cryptominer malware.

UEFI is almost called an operating system and is located in a flash memory chip connected to SPI that is soldered to the computer motherboard, making it difficult to execute or patch the code.

The purpose of the malware is to ensure that computers remain infected even if an operating system is reinstalled or a hard drive is completely replaced.

“The most striking aspect of this report is that this UEFI implant seems to have been used in the wild since the end of 2016—long before UEFI attacks started being publicly described. This discovery begs a final question: If this is what the attackers were using back then, what are they using today,” the Kaspersky researchers wrote.

The CosmicStrand execution chain starts with a driver that appears to be a modification of a legitimate one called CSMCORE. CSMCORE creates a pointer to a boot service function known as HandleProtocol. Once HandleProtocol is called, the execution is redirected to code supplied by the attacker that checks for certain criteria, including the called component and specific bytes contained in the return address.

Before the Windows kernel starts running, CosmicStrand adds another check mark in the ZwCreateSection function, which injects malicious shellcode into the image of a file named ntoskml.exe.

The sources for this piece include an article in Arstechnica.