Malware That Can Last OS Reinstalls Found On Asus, Gigabyte Mainboards

The malware was found focusing on older H81 mainboards and also feels to have been around since at least 2016, according to antivirus supplier Kaspersky.
Researchers have found malware that has been covertly invading computers containing Asus and Gigabyte mainboards for a minimum of six years.
Since 2016, Chinese-speaking hackers have been infiltrating units with the CosmicStrand malware, according to a statement by Bleeping Computer.
A malware strain with the ability of surviving OS reinstalls has been covertly infiltrating older motherboards from Asus and Gigabyte, according to antivirus supplier Kaspersky.
The malware, referred to CosmicStrand, is produced to contaminate the motherboard’s UEFI (Unified Extensible Firmware Interface), to make sure that it can continue to persist on a Windows machine, even when the storage drive is taken out.
On Monday, Kaspersky said it found out about CosmicStrand spreading on Windows home computers in China, Vietnam, Iran and Russia. All the targets were using Kaspersky’s free antivirus software, so they were likely private men and women.
The organization’s investigation discovered that CosmicStrand was identified on firmware images for older Asus and Gigabyte mainboards that utilized the H81 chipset, which in turn originally launched in 2013, however has since been discontinued.
By infecting the motherboard’s UEFI, CosmicStrand can implement malicious course of actions right as the PC starts. This can lead to the machine retrieving a malicious aspect from a hacker-controlled server and setting it up within the Windows OS.
Kapersky said that sadly, we were not able to obtain a copy of data emerging from the C2 (command and control) server. But the business did find confirmation the makers of CosmicStrand were seeking to remotely hijack the infected machines.
Kaspersky additionally isn’t certain how CosmicStrand is ending up on the victim computers. But it’s possible it arrived through another malware strain currently on the system, or via the hackers getting physical access to the devices.
Kaspersky additionally atated that evaluating the multiple firmware images we had the chance to obtain, they evaluate that the changes may have been performed with an automated patcher. If so, it may follow that the attackers had previous access to the target’s computer system in order to extract, modify and overwrite the mainboard’s firmware.
CosmicStrand isn’t the first UEFI-based malware; throughout the years, the antivirus sector has discovered several other variants. However, CosmicStrand seems to have stayed hidden under the radar for a number of years. Kaspersky’s probe located one sample of the malware was connecting to a hacker-controlled server that originally showed up in Dec. 2016. Yet another sample was found communicating to a different hacker-controlled server in 2020.
The servers the malware samples were communication to.
Additionally, Kaspersky indicated that the Chinese antivirus merchant Qihoo 360 also identified an early variation of CosmicStrand back in 2017, affecting an Asus B85M motherboard.
In a report Kaspersky likewise explained that Qihoo’s initial report shows that a buyer might have gotten a backdoored motherboard after placing an order at a second-hand reseller. We were not able to verify this information.
The company right now thinks Chinese hackers made CosmicStrand, citing how its computer code resembles with various other malware linked to Chinese-language hackers.
Kaspersky offerings will discover this risk and protect against it from executing it properly, making it harmless but it is unclear if there might be a firmware disinfection as there would be a chance of ruining the end user’s computer.
The only way to remove the infection for good is to re-flash the firmware of the motherboard, a fragile procedure that can be carried out via the BIOS this is for more advanced users only or making use of utilities given by the hardware provider. The extraordinary alternative way of eliminating this infection would be to change the computer’s mainboard and to then reinstall Windows.

About Author

Teacher, programmer, fan of One Piece and pretends to know how to cook. Michael is graduating in Computer Science - in the years 2019 and 2020 he was involved in several projects coordinated by the municipal education department, where the focus was to introduce students from the public network to the world of programming and robotics. Today he is an instructor for Spring at Wicked Sciences, but says that his heart will always belong to Python.