Security Week 2231: CosmicStrand UEFI Rootkit

Last week, Kaspersky Lab researchers published a detailed

report

about the new CosmicStrand rootkit. Several samples of malicious code were analyzed, extracted from motherboards with the Intel H81 chipset (produced from 2013 to 2020, supports Intel processors of the Haswell generation). The initial method of infection of such computers is unknown, but the authors of the work suggest that a common vulnerability for such motherboards could be exploited.

The task of a rootkit is to provide attackers with access to the infected system even if the operating system is reinstalled and the data is completely deleted. To do this, CosmicStrand is placed in the UEFI firmware on the motherboard, and when the computer boots, it modifies the Windows kernel code. The ability to subsequently execute code with kernel privileges makes it as difficult as possible to detect a rootkit.


CosmicStrand supposedly has Chinese roots, and the previous version of the rootkit is back in 2017 analyzed Qihoo360 company. In that case, by the way, there was more data on the vector of infection: a used motherboard was purchased, and, most likely, its buyer became an accidental victim.

In short, CosmicStrand works in the following way. The malicious UEFI module runs when the computer is turned on, before the operating system boots. The code is injected into the boot manager, which allows you to modify the Windows kernel bootloader. Next, one of the functions in the Windows kernel itself is modified. After the system is booted, a call is made to the command and control server, from which the final payload is loaded to spy on the user. All stages of the rootkit are shown in the diagram:

The malicious UEFI module is a modified CSMCORE driver that is normally used to boot the computer in the so-called Legacy mode. Having reached the Windows kernel, the rootkit tries to shut down the system PatchGuard, aimed precisely at preventing the modification of Windows system files. Here, the authors of CosmicStrand have provided the ability to run different versions on Windows, the earliest of which is the version of Windows 10 Redstone 1, released in August 2016.

In the process of studying such complex attacks, researchers often have to deal with only individual elements of the attack. In this case, both the initial method of infection and the response that the C&C server sends to the infected system after a request were unknown. On one of the infected systems, we managed to find a piece of malicious code, which is the result of executing what was downloaded from the attackers’ server. This executable adds a new user named aaaabbbb to the system and gives it local administrator privileges.

Of interest is the analysis of two well-known C&C servers. Judging by the history of changing DNS records for their domain names, the servers worked for a limited time (then the record was deleted, redirecting the request to the domain to a specific IP address). One of the domains was active in 2016-2017, the other in 2020. Most likely, a different infrastructure was used to manage infected systems between 2017 and 2020.

Systems infected with CosmicStrand have been found in Russia, Iran, Vietnam and China. Chinese-speaking developers were able to attribute the rootkit due to the similarity of parts of the code with known malware, in particular with the MyKings botnet. There are common features with the previously studied rootkit Moonbounce.

Rootkits are quite difficult to develop, and it is even more difficult to study and develop protection against them due to the almost unlimited possibilities of malware in an infected system. Previously, in predictions for 2022, Kaspersky Lab experts notedthat rootkits will be used more actively, despite the difficulties in development. A successful attack provides permanent access to the computer for the entire time of its operation and survives the complete removal of data. Moreover, in the case of CosmicStrand, we are dealing with the code of 2016. Since then, the complexity and effectiveness of rootkits may have grown.

What else happened:
Threatpost Edition leads examples of using chats in Telegram and Discord for malicious activity — data storage and control of infected systems.

In fresh statistics by phishing, the most frequently attacked brands were named: in addition to Microsoft, the French bank Crédit Agricole was in the top 3.