Security News > 2022 > July > CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards
Chinese-speaking hackers have been using since at least 2016 malware that lies virtually undetected in the firmware images for some motherboards, one of the most persistent threats commonly known as a UEFI rootkit.
It is unclear how the threat actor managed to inject the rootkit into the firmware images of the target machines but researchers found the malware on machines with ASUS and Gigabyte motherboards.
Malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive.
Kaspersky was able to determine that the CosmicStrand UEFI rootkit was lodged in firmware images of Gigabyte or ASUS motherboards that have in common designs using the H81 chipset.
The researchers connected CosmicStrand to a Chinese-speaking actor based on code patterns that were also seen in the MyKings cryptomining botnet, where malware analysts at Sophos found Chinese-language artifacts.
The first widespread report about a UEFI rootkit found in the wild, LoJax, came in 2018 from ESET and it was used in attacks by Russian hackers in the APT28 group.