UEFI Malware discovered in Gigabyte and Asus H81 motherboard firmware

Researchers at cybersecurity company Kaspersky have discovered a new form of malware that resides in the motherboard's UEFI. The malware is a form of rootkit that remains present even after the host hard drive or SSD is wiped or replaced.

The Kaspersky engineers (via Bleeping Computer) named it CosmicStrand. It's reported to be an evolution of an earlier malware called Spy Shadow Trojan which was discovered as far back as 2016. The researchers found the CosmicStrand malware in the firmware of Asus and Gigabyte motherboards. Don’t panic though! I’ll explain.

The infected systems ran motherboards based on the H81 chipset, which dates back many years. An attacker would also need access to the system or need to install a different malware to update or patch the firmware to inject the CosmicStrand malware. So if you’re reading this, don’t think that Asus or Gigabyte systems have been insecure for all of these years or that your system is compromised. Until there is further research, it may be that CosmicStrand can only take advantage of a possible H81 UEFI vulnerability.

The malware sets up a series of hooks that allow Windows kernel access, eventually leading the infected OS to retrieve a payload that will execute on the victim’s machine. The Kaspersky engineers weren’t able to retrieve the payload itself, but they believe the malware shares code patterns with a Chinese group responsible for the MyKings crypto mining botnet. And that’s what its usually about. Scumbags trying to steal or make money.

The UEFI, or Unified Extensible Firmware Interface, is almost like a mini OS. It's the interface between the hardware and software of the system, meaning it influences the OS and all of the software of the system. The UEFI is usually secure and it requires specific code knowledge. There are very few known UEFI threats.

Kaspersky’s report states “the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later.”

So, while the threat is limited, it shines a spotlight on the need for the industry to pay close attention to possible vulnerabilities. The lure of a million infected machines covertly mining a crypto coin is a huge dangling carrot for a malicious actor.