CosmicStrand: Advanced Firmware Rootkit Enables Long Lasting Persistence

Kaspersky (Photo: Kaspersky)

JAKARTA - Kaspersky researchers have discovered a rootkit developed by an advanced persistent threat actor (APT) that is still on the victim's machine. In fact, rebooting the operating system or reinstalling Windows will make it very dangerous in the long run.

Dubbed “CosmicStrand”, this UEFI firmware rootkit is used primarily to attack private individuals in China, with rare cases in Vietnam, Iran, and Russia.

UEFI firmware is an essential component in most hardware. The code is responsible for booting the device, launching the software components that load the operating system.

If the UEFI firmware is somehow or other modified to contain malicious code, the code will be launched before the operating system, making its activity potentially invisible to the operating system's security and defense solutions.

This, and the fact that the firmware resides on a separate chip from the hardware, makes attacks against UEFI firmware extremely complex and persistent because regardless of how many times the operating system is reinstalled, the malware will remain on the device.

CosmicStrand, a recent discovery of the UEFI firmware by Kaspersky researchers, is associated with a previously unknown Chinese-language threat actor.

While the ultimate goal pursued by the attackers is still unknown, it is observed that the affected victims are individual users and not computers belonging to companies or organizations.

All of the machines that were attacked were Windows based: every time the computer was rebooted, a bit of malicious code would be executed after Windows started. Its purpose is to connect to a C2 (command-and-control) server and download additional malicious executables.

The researchers were unable to determine how the rootkit ended up on the infected machines, but unconfirmed accounts found online suggest that some users have received compromised devices when ordering hardware components online.

The most striking aspect of CosmicStrand is that UEFI implants appear to have been in liberal use since late 2016, long before UEFI attacks began to be publicly described.

“Despite being recently discovered, the CosmicStrand UEFI firmware rootkit appears to have been in use for quite some time. This suggests that some of the threat actors have very advanced capabilities that they have managed to keep under the radar since 2017. We are left to wonder what new tools they have created, while, that is what we have yet to discover.” comments Ivan Kwiatkowski, senior security researcher in the Global Research and Analysis Team (GReAT) at Kaspersky.

A more detailed analysis of the CosmicStrand framework and its components is presented in Securelist.

To stay protected from threats like CosmicStrand, Kaspersky recommends:

Give your SOC (security operations center) team access to the latest threat intelligence (IT). The Kaspersky Threat Intelligence Portal is a single point of access for IT, providing Kaspersky with over 20 years of data and cyberattack insights. Implement EDR solutions for endpoint level detection, investigation and fast incident recovery, such as Kaspersky Endpoint Detection and Response. Provide your staff with basic cybersecurity hygiene training as many targeted attacks start with phishing or other social engineering techniques. Use a robust endpoint security product that can detect firmware usage, such as Kaspersky Endpoint Security for Business. Update your UEFI firmware regularly and only use firmware from trusted vendors.