The cybersecurity company Kaspersky detected a UEFI rootkit that they have dubbed CosmicStand thanks to their antivirus and the work of their researchers. According to their investigation, this threat has been in use since 2016. It keeps computers infected even if an operating system is reinstalled or a hard drive is replaced.
What is a rootkit?
Avast, another computer security company, defines a rootkit as “a stealthy and dangerous type of malware that allows hackers to access your computer without your knowledge.” The CosmicStand case is nearly undetectable and uses the Unified Extensible Firmware Interface (UEFI), an operating system in its own right.
The Kaspersky study warns that the UEFI is located in the flash storage chip connected to the SPI, which complicates the detection of the vulnerability. In addition, it is the first thing that runs when the computer is turned on, influencing the operating system, cybersecurity applications, and all software.
The origin of CosmicStrand
Kaspersky attributes the authorship of the UEFI rootkit to a Chinese-speaking cybercriminal group linked to the crypto miner Trojan. “The most surprising aspect of this report is that this UEFI implant appears to have been in use since late 2016, long before UEFI attacks began to be described publicly,” they stress. This discovery raises a final question: if this is what attackers were using back then, what are they using today?”
Kaspersky researchers have found the rootkit in the firmware images of some Gigabyte or Asus motherboards. Specifically, CosmicStrand sets ‘hooks’ at critical points that affect the boot process to continue attacking even if the device owner resets the computer.