Security News > 2022 > July > Experts Uncover New 'CosmicStrand' UEFI Firmware Rootkit Used by Chinese Hackers

An unknown Chinese-speaking threat actor has been attributed to a new kind of sophisticated UEFI firmware rootkit called CosmicStrand.

"The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset," Kaspersky researchers said in a new report published today.

CosmicStrand, a mere 96.84KB file, is also the second strain of UEFI rootkit to be discovered this year after MoonBounce in January 2022, which was deployed as part of a targeted espionage campaign by the China-linked advanced persistent threat group known as Winnti.

The "Shellcodes received from the server might be stagers for attacker-supplied PE executables, and it is very likely that many more exist," Kaspersky noted, adding it found a total of two versions of the rootkit, one which was used between the end of 2016 and mid-2017, and the latest variant, which was active in 2020.

Interestingly, Chinese cybersecurity vendor Qihoo360, which shed light on the early version of the rootkit in 2017, raised the possibility that the code modifications may have been the result of a backdoored motherboard obtained from a second-hand reseller.

"The most striking aspect is that this UEFI implant seems to have been used in the wild since the end of 2016 - long before UEFI attacks started being publicly described," the researchers said.

News URL

https://thehackernews.com/2022/07/experts-uncover-new-cosmicstrand-uefi.html