The malware was found targeting earlier H81 mainboards and seems to have been around since at least 2016, according to antivirus provider Kaspersky.
Specialists have found malware that has been covertly infecting equipment containing Asus and Gigabyte mainboards for at the very least 6 years.
Since 2016, Chinese-speaking hackers have been penetrating machines with the CosmicStrand malware, according to a report by Bleeping Computer.
A malware strain capable of withstanding OS reinstalls has been covertly infiltrating older mainboards from Asus and Gigabyte, according to antivirus vendor Kaspersky.
The malware, termed CosmicStrand, is designed to infect the motherboard’s UEFI (Unified Extensible Firmware Interface), to ensure it can continue to persist on a Windows computer, even though the storage drive is removed.
On Monday, Kaspersky said it found CosmicStrand spreading on Windows laptop computers in China, Vietnam, Iran and Russia. All the targets were employing Kaspersky’s free antivirus software, so they were probably private individuals.
The provider’s probe found that CosmicStrand was located on firmware images for older Asus and Gigabyte mainboards that made use of the H81 chipset, which initially launched in 2013, however has since been retired.
By tainting the mainboard’s UEFI, CosmicStrand can perform malicious processes right when the PC starts up. This can can lead to the machine retrieving a malicious element from a hacker-controlled server and installing it inside the Windows OS.
Kapersky said that regrettably, we were not able to obtain a copy of data originating from the C2 (command and control) server. But the firm did find proof the developers of CosmicStrand were attempting to remotely hijack the infected computers.
Kaspersky likewise isn’t sure how CosmicStrand is finishing up on the victim pcs. However, it’s entirely possible it showed up through another malware strain currently on the system, or through the hackers getting physical access to the devices.
Kaspersky also atated that reviewing the numerous firmware images we had the opportunity to obtain, they evaluate that the modifications may have been executed with an automated patcher. If so, it might follow that the aggressors had prior access to the target’s computer for them to extract, modify and overwrite the motherboard’s firmware.
CosmicStrand isn’t the first UEFI-based malware; throughout the years, the antivirus profession has discovered several other strains. But, CosmicStrand seems to have hidden under the radar for a number of years. Kaspersky’s inspection located one specimen of the malware was connecting to a hacker-controlled server that originally showed up in Dec. 2016. Yet another sample was found transmitting to a different hacker-controlled server in 2020.
The servers the malware examples were communication to.
Moreover, Kaspersky pointed out that the Chinese antivirus merchant Qihoo 360 also found an early variation of CosmicStrand back in 2017, affecting an Asus B85M motherboard.
In a report Kaspersky likewise claimed that Qihoo’s initial report indicates that a purchaser might just have acquired a backdoored mainboard soon after making an order at a second-hand reseller. We were not able to validate this information.
The business currently presumes Chinese hackers designed CosmicStrand, alluding to how its computer code resembles with various other malware linked to Chinese-language hackers.
Kaspersky products will discover this hazard and prevent it from carrying out it appropriately, making it harmless but it is unsure if there might be a firmware disinfection as there certainly would be a possibility of damaging the individual’s equipment.
The only way to clear away the infection for good is to re-flash the firmware of the mainboard, a delicate operation that may be carried out via the BIOS this is for more advanced users only or employing utilities provided by the hardware supplier. The extreme alternative way of eliminating this infection would be to change the computer’s motherboard and to then reinstall Microsoft windows.