Cybersecurity researchers from Qihoo360 and Kaspersky warned that some older motherboards could be infected with particularly sneaky malware.
Motherboard malware, persistent threats commonly known as UEFI rootkits, are particularly difficult to remove, as even wiping the hard drive does not remove the threat.
This instance, which Qihoo360 dubbed Spy Shadow Trojan and Kaspersky dubbed CosmicStrand, was found on machines with ASUS and Gigabyte motherboards. These were mostly discontinued hardware, produced between 2013 and 2015, and Kaspersky noted that the UEFI firmware rootkit can persist on devices as long as they are operational.
Difficult compromise to make
Explaining the findings via Twitter, former Kaspersky reverse engineer Mark Lechtik said that the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process, BleepingComputer reported.
"This driver has been modified to intercept the boot sequence and insert malicious logic into it," Lechtik said.
What researchers don't yet know is how the malware got onto devices, because compromising endpoints (opens in a new tab) with UEFI malware involves either gaining physical access to devices or having precursor malware that could automatically patch the firmware image.
In the Qihoo360 case, a victim said that he bought a compromised used motherboard on the Internet. Among the victims Kaspersky analyzed were people from China, Iran, Vietnam and Russia, who had almost nothing in common.
It is unclear who the author of the threat is, although Kaspersky believes the same group is behind the MyKings crypto mining botnet.
Although more difficult to remove, UEFI malware is becoming more and more common. In October last year, for example, ESET cybersecurity researchers discovered such malware and named it ESPecter. At the time, researchers stated that this threat had been active since at least 2012 and was used primarily for espionage purposes, as it could record keystrokes and steal documents.
Via: BleepingComputer (Opens in a new tab)