CosmicStrand: Sophisticated firmware rootkit allows durable persistence

Woburn, MA – July 25, 2022 – Kaspersky’s researchers have uncovered a rootkit developed by an advanced persistent threat (APT) actor that stays on the victim’s machine even if the operating system is rebooted or Windows is reinstalled – making it very dangerous in the long run. Dubbed “CosmicStrand,” this UEFI firmware rootkit was used primarily to attack private individuals in China, with rare cases in Vietnam, Iran and Russia.

UEFI firmware is a critical component in the vast majority of hardware. Its code is responsible for booting up a device, launching the software component that loads the operating system. If the UEFI firmware is somehow modified to contain malicious code, that code will be launched before the operating system, making its activity potentially invisible to security solutions and to the operating system’s defenses. This, along the fact that the firmware resides on a chip separate from the hard drive, makes attacks against UEFI firmware exceptionally evasive and persistent. Regardless of how many times the operating system is reinstalled, the malware will stay on the device.

CosmicStrand, the recent UEFI firmware discovery made by Kaspersky’s researchers, is attributed to a previously unknown Chinese-speaking actor. While the end goal pursued by the attackers remains unknown, it was observed that affected victims were individual users, as opposed to corporate computers.

All of the attacked machines were Windows-based. Every time a computer rebooted, a bit of malicious code would be executed after Windows started. Its purpose was to connect to a C2 (command-and-control) server and download an additional malicious executable.

The researchers were unable to determine how the rootkit ended up on the infected machines in the first place, but unconfirmed accounts discovered online indicate that some users have received compromised devices while ordering hardware components online.

The most striking aspect of CosmicStrand is that the UEFI implant seems to have been used in the wild since the end of 2016, long before UEFI attacks started being publicly described.

“Despite being recently discovered, the CosmicStrand UEFI firmware rootkit seems to have been being deployed for quite a long time,” Ivan Kwiatkowski, senior security researcher at Global Research and Analysis Team (GReAT) at Kaspersky. “This indicates that some threat actors have had very advanced capabilities that they’ve managed to keep under the radar since 2017. We are left to wonder what new tools they have created in the meantime that we have yet to discover.”

A more detailed analysis of the CosmicStrand framework and its components is presented on Securelist.

In order to stay protected from threats such as CosmicStrand, Kaspersky recommends:

• Providing your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for TI, providing cyberattack data and insights gathered by Kaspersky for over 20 years.
• Implementing EDR solutions for endpoint level detection, investigating and quickly remediating incidents, such as Kaspersky Endpoint Detection and Response.
• Providing your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
• Using a robust endpoint security product that can detect the use of firmware, such as Kaspersky Endpoint Security for Business.
• Regularly updating your UEFI firmware and only using firmware from trusted vendors.