Security News > 2022 > August > New CosmicStrand rootkit targets Gigabyte and ASUS motherboards

New CosmicStrand rootkit targets Gigabyte and ASUS motherboards
2022-08-01 14:31

New research from Kaspersky exposes a rootkit dubbed CosmicStrand, which sits quietly in the Unified Extensible Firmware Interface of specific computers.

According to Kaspersky, the rootkit is located in the firmware images of Gigabyte or ASUS motherboards.

At the end of the operating system boot, the CosmicStrand rootkit allocates a buffer in the kernel's address space and maps a shellcode there, before executing it.

The kernel level malicious payload. The shellcode run by the rootkit waits for a new thread in winlogon.

Rootkits are particularly difficult to detect, especially when they use hardware capabilities that are out of the operating system, which is the case for the CosmicStrand rootkit.

Another way to detect it is via all systems that are not infected by the rootkit but connected to the same network: it is possible to detect the malicious network activity just as for any other piece of malware by using Intrusion Detection Systems/Prevention Detection Systems.


News URL

https://www.techrepublic.com/article/new-cosmicstrand-rootkit-targets-gigabyte-and-asus-motherboards/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Asus 438 1 80 104 35 220
Gigabyte 7 0 0 4 3 7