[MART] - Daily Diary #559 - CosmicStrand, A UEFI Firmware Rootkit

CTAS-MAT ctas-mat at appgate.com
Mon Jul 25 22:13:27 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

07/25/2022 - Diary entry #559:

A rootkit is a sophisticated malware type (explained in our Daily Diary #367) designed to enable access to a privileged computer area, masking itself in the system, trying to evade detection by analysts and security software. When it is deployed into low-level components such as the machine’s firmware, it becomes a perilous threat that can remain on a system after an OS re-installation or hard drive formatting.

That’s the case of CosmicStrand, a new UEFI firmware rootkit linked to an unknown Chinese-speaking threat actor. This rootkit is located in the firmware images of Gigabyte or ASUS motherboards designed to use the H81 chipset.

After infection, the firmware images are changed to trigger a malicious code during the Windows machine’s startup process. Next, it deploys a shellcode in memory and contacts the C2 server to get the actual malicious payload to run by using a tricky approach to not rely on high-level API functions and avoid detection.

The final payload used during an attack was an executable that runs command lines to create a user on the machine and add it to the local administrators' group. However, since this threat is very advanced, is likely that many other payloads exist.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220725/8cf980e7/attachment.htm>

More information about the MART mailing list