A UEFI firmware bootkit in the wild
Despite the advanced capabilities they provide, low-level implants such as bootkits and rootkits are only deployed by the most sophisticated attackers due to the risk they pose to the victim system’s stability. In recent years, Kaspersky has however observed a number of new low-level malware, such as MosaicRegressor, MoonBounce, and the object of this talk, CosmicStrand. CosmicStrand is a UEFI firmware bootkit that hides in select Asus and Gigabyte motherboards in order to provide persistence so deep that it would survive a Windows reinstallation. CosmicStrand starts execution when the victim machine is powered on, and propagates a malicious component up to the Windows kernel, where it injects a shellcode tasked with downloading further malware from a C2 server.
This talk presents the inner workings of the rootkit, but also delves into its mysterious history. The variants we discovered appeared between 2016 and 2020, with year-long gaps in the middle during which the corresponding infrastructure appears to have been inactive. We also study the interesting code similarities between CosmicStrand and the MyKings botnet, which is linked with the Chinese-speaking cybercrime ecosystem.
Ivan Kwiatkowski is an OSCP and OSCE-certified penetration tester and malware analyst who has been working as a Senior Security Researcher in the Global Research & Analysis Team at Kaspersky since 2018. He maintains an open-source dissection tool for Windows executables and his research has been presented during several cybersecurity conferences. As a digital privacy activist, he operates an exit node of the Tor network. Kwiatkowski also delivers Kaspersky’s reverse-engineering training in Europe.