New CosmicStrand rootkit targets Gigabyte and ASUS motherboards

Rootkit concept with faceless hooded male person, low key red and blue lit image and digital glitch effect
Image: Adobe Stock

Malware exists in different flavors. Most of the time, malware consists of malicious files stored in computers operating systems, just like any other file, and running as software with or without high privileges. When found, they generally can be easily deleted from the file system or removed when the operating system is being reinstalled. However, rootkits are yet different malware.

What are rootkits?

Rootkits are designed to provide access to a computer and possibly mask other malicious software running on it. Some rootkits also do not reside in the usual file system from the operating system, but in other places, like firmware. Rootkits often also run at kernel level, instead of the usual software level.

Such a piece of malware needs a lot more effort to be developed, compared to usual malware, because it faces many more technical and programming challenges.

New research from Kaspersky exposes a rootkit dubbed CosmicStrand, which sits quietly in the Unified Extensible Firmware Interface (UEFI) of specific computers.

According to Kaspersky, the rootkit is located in the firmware images of Gigabyte or ASUS motherboards. The infected firmware images are related to designs using the H81 chipset, suggesting that a common vulnerability may exist, which allowed the attackers to inject the rootkit into the firmwares image.

How does CosmicStrand work?

Affected firmware images have been altered to run the malicious code at system startup. A long execution chain is triggered to download and deploy malicious content inside the Windows operating systems kernel on the affected machine. The initial entry point for the firmware has been patched to redirect to code execution added in the .reloc section.

The firmware is being modified with an automated patcher, according to the researchers, which means the attackers had prior access to the victim’s computer in order to extract the firmware, inject the malicious code then overwrite the motherboard’s firmware.

Since the goal of this rootkit is to allow the running of malicious code at the kernel level of the operating system, the infection chain is highly complex, a lot more than for any usual malware infection. The UEFI code runs before the Windows system is loaded, which means the attacker has to somehow find a way to pass the malicious code to the operating system before it is launched, while the UEFI code will have been terminated.

The attacker achieves this by setting multiple hooks in succession, allowing the malicious code to be executed after the operating system has been launched (Figure A).

Figure A

Infographic of the CosmicStrand rootkit chain.
Image: Kaspersky. Infection chain from UEFI boot to operating system running

During the infection chain, the rootkit takes care of disabling Kernel Patch Protection (KPP) , also known as PatchGuard, a 64-bit Windows security mechanism preventing modifications in key structures of the Windows kernel in memory.

At the end of the operating system boot, the CosmicStrand rootkit allocates a buffer in the kernel’s address space and maps a shellcode there, before executing it.

SEE: Mobile device security policy (TechRepublic Premium)

The kernel level malicious payload

The shellcode run by the rootkit waits for a new thread in winlogon.exe and then executes a callback in this context, which is high-privileged. It then sleeps for 10 minutes before testing internet connectivity. That test is done via the Transport Device Interface instead of using the usual high-level API functions, and sends a DNS request to Google’s DNS server or to a custom one located in China.

If internet connectivity is available, the shellcode retrieves the final payload at a C2 server update.bokts[.]com. The payload is expected from CosmicStrand to be received in chunks of 528 bytes following a particular structure, probably to defeat automated analysis tools.

That last payload could not be retrieved by Kaspersky, but the researchers instead found a user-mode sample in the memory of one of the infected computers they could analyze. That sample, which is believed to be linked with CosmicStrand, creates a user named “aaaabbbb” on the targeted machine and adds that user to the local administrators group.

A long-running threat targeting individuals

Kaspersky discovered older versions of the rootkit that reached another C2 server to obtain additional shellcode. These older versions might have been used between the end of 2016 and mid-2017, while the latest version was active in 2020. An earlier version of the rootkit has also been analyzed by Qihoo360 in 2017.

Analysis of data related to both C2 servers found by the researchers indicate that the domains had a long lifetime and resolved to different IP addresses during limited timeframes, outside of which the rootkit would have been inoperative.

Regarding the targets of the CosmicStrand threat, Kaspersky noted that all victims in their telemetry appear to be private individuals using the free version of their product, located in China, Vietnam, Iran and Russia.

Probable Chinese threat actor

According to Kaspersky, several data leads to believe that “CosmicStrand was developed by a Chinese-speaking threat actor, or by leveraging common resources shared among Chinese-speaking threat actors.”

MyKings botnet uses a number of code patterns also observed in CosmicStrand, which is believed to have been developed by Chinese-speaking threat actors. Both threats also share identical tags when allocating memory in kernel mode and generate network packets the same way. The API hashing code used in both is also identical and has only been found in two other rootkits according to Kaspersky, MoonBounce and xTalker, also tied to Chinese-speaking threat actors.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How to detect rootkits?

Rootkits are particularly difficult to detect, especially when they use hardware capabilities that are out of the operating system, which is the case for the CosmicStrand rootkit.

Security software scanning computer activity at the lowest levels might detect unusual activity from rootkits and successfully detect it.

Another way to detect it is via all systems that are not infected by the rootkit but connected to the same network: it is possible to detect the malicious network activity just as for any other piece of malware by using Intrusion Detection Systems/Prevention Detection Systems (IDS/IPS).

If a computer is suspected of being running an UEFI rootkit, incident responders might check the firmware for anomalies. A firmware that shows a different hash than the one provided by the vendor is probably compromised.

Finally, it needs to be understood that even if malicious files are removed from the Windows operating system, they will be reinstalled by the rootkit at every boot. A clean and safe version of the firmware needs to be installed to replace the malicious one.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Source link

istanbul escort aksaray escort arnavutköy escort ataköy escort avcılar escort avcılar türbanlı escort avrupa yakası escort bağcılar escort bahçelievler escort bahçeşehir escort bakırköy escort başakşehir escort bayrampaşa escort beşiktaş escort beykent escort beylikdüzü escort beylikdüzü türbanlı escort beyoğlu escort büyükçekmece escort cevizlibağ escort çapa escort çatalca escort esenler escort esenyurt escort esenyurt türbanlı escort etiler escort eyüp escort fatih escort fındıkzade escort florya escort gaziosmanpaşa escort güneşli escort güngören escort halkalı escort ikitelli escort istanbul escort kağıthane escort kayaşehir escort küçükçekmece escort mecidiyeköy escort merter escort nişantaşı escort sarıyer escort sefaköy escort silivri escort sultangazi escort suriyeli escort şirinevler escort şişli escort taksim escort topkapı escort yenibosna escort zeytinburnu escort porno 1080p porno izle 4k porno izle 720p porno izle abella danger alman alman porno alman porno izle aloha tube porno amatör amatör porno amatör porno izle anal anal porno anal porno izle arap porno asa akira porno asyalı porno bangbros porno bangbros porno izle banyoda sikis başörtülü porno beeg porno izle beyaz tenli porno izle biseksuel porno izle bisexsuel porno brandi love porno brazzers brazzers porno izle canli porno canli porno izle çinli porno çinli porno izle ensest porno ensest porno izle ensest seks erotik porno erotik porno izle esmer porno esmer porno izle etek altı fake agent fake taxi fake taxi porno fantazi pornoları fantezi porno izle fetiş porno fetiş porno izle fetish fransız porno fransız porno izle full hd hg porno izle gangbang porno genç kız porno izle genç kız sikişi genç teen porno izle gizli çekim porno gizli çekim pornosu grup pornosu grup porno grup porno izle hd pornolar hd porno hd porno izle hemşire porno hemşire pornosu hizmetçi porno hizmetçi porno izle ingiliz porno japon pornoları japon porno kızlık bozma kızlık bozma porno izle konulu porno konulu porno izle koreli porno köylü pornoları kumral porno kumral porno izle latin pornoları latin porno latin porno izle lezbiyen pornoları lezbiyen porno lezbiyen porno izle lisa ann porno liseli pornoları liseli porno liseli porno izle manken porno manken porno izle masaj porno izle masturbasyon porno izle masturbasyon pornoları mature porno mia khalifa porno mia malkova porno milf porno izle mobil porno mobil porno izle öğrenci porno izle öğretmen porno izle okul porno izle olgun kadın pornosu olgun porno oral porno oral porno izle oral seks porna izle pornhub pornhub porno izle porno film izle porno indir porno izle porno resimler porno star porntube porno izle redtube redtube pornoları riley reid porno rokettube rus pornoları rus porno rus porno izle sakso blowjob porno izle sarışın pornoları sarışın porno sarışın porno izle sarışın pornoları sekreter porno shemale sikiş sikiş sikiş izle şişman porno siyahi pornoları suriyeli pornoları swinger porno tecavüz porno teen porn türbanlı pornoları türbanlı porno türk pornoları türk porno türk porno izle türkçe altyazılı porno türkçe altyazılı porno izle xhamster pornoları xhamster porno xhamster porno izle xnxx xnxx porno xnxx porno izle xvideos xvideos porno izle yaşlı porno yeşilçam porno izle youjizz youporn youporn porno izle zenci porno güvenilir bahis siteleri bahis siteleri casino deneme bonusu casino siteleri deneme bonusu para yatırma bonusu bahis siteleri casino siteleribahis sitesi para yatırma