Skip to main content

This malware infects your motherboard and is almost impossible to remove

Researchers have discovered malware that has been secretly infecting systems featuring Asus and Gigabyte motherboards for at least six years.

Since 2016, Chinese-speaking hackers have been infiltrating machines with the CosmicStrand malware, according to a report from Bleeping Computer.

A digital encrypted lock with data multilayers.
Getty Images

Notably, once the malicious code has been distributed, it remains largely undetected within the firmware images for certain motherboards. This particular method of targeting firmware images is classified as a Unified Extensible Firmware Interface (UEFI) rootkit.

The strain was named CosmicStrand by researchers working for cybersecurity firm Kaspersky. However, a previous version of the malware — dubbed Spy Shadow Trojan — was initially uncovered by analysts at Qihoo360.

For reference, UEFI is an important application that attaches an operating system with the firmware of the hardware itself. As such, UEFI code is what runs when a computer initially starts up, even before any security measures of the system.

As a result, malware that has been placed in the UEFI firmware image is extremely effective in evading detection measures. More worryingly, however, is the fact that the malware can’t technically be removed by operating a clean reinstall of the operating system. You can’t even get rid of it by replacing the storage drive.

“This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” said Mark Lechtik, who previously worked as a Kaspersky reverse engineer.

Kaspersky said it found that the CosmicStrand UEFI rootkit was discovered within the firmware images of Gigabyte or Asus motherboards utilizing the H81 chipset, which is associated with hardware sold between 2013 to 2015.

Computer motherboard stock photo

CosmicStrand victims were private individuals located within China, Iran, Vietnam, and Russia, and thus links to a nation state, organization, or industry could not be established. That said, researchers confirmed a CosmicStrand link to a Chinese-speaking threat actor due to code patterns that made an appearance in a separate cryptomining botnet.

Kaspersky stressed that the CosmicStrand UEFI firmware rootkit can more or less remain on an infected system forever.

UEFI malware was first reported on in 2018 by another online security company, ESET. Known as LoJax, it was used by Russian hackers who belonged to the APT28 group. Since then, the amount of UEFI-based rootkits infecting systems has steadily increased, which includes ESPecter — a kit that is said to have been deployed for espionage purposes since 2012.

Elsewhere, security analysts said it detected “the most advanced” UEFI firmware earlier this year in the form of MoonBounce.

It’s been a busy year for groups and hackers involved in the malware community. Most recently, threat actors have managed to use Microsoft Calculator to distribute malicious code, while Microsoft itself launched a new initiative where it offers businesses access to its internal security services.

Editors' Recommendations

Zak Islam
Computing Writer
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
This new malware is targeting Facebook accounts – make sure yours is safe
Facebook logo appears with a hooded figure over a cracked blue background.

In the ongoing barrage of cyberattacks, Facebook users are being targeted by a new version of the Ducktail malware that originally surfaced in July. The first implementation was specifically aimed at Facebook Business accounts, but it has recently become a more widespread danger.

The latest version of Ducktail collects any and all Facebook data available on an infected computer. If it happens to be a business account, payment methods could be discovered, putting your money at risk. Furthermore, Facebook Business data might include billing information and cycles, which could be used to help disguise unauthorized purchases.

Read more
New malware can steal your credit card details — and it’s spreading fast
An individual surrounded by several computers typing on a laptop.

A new, highly dangerous malware called "Erbium" has been making the rounds over the last couple of months, and it's highly likely that it will spread to new channels.

Erbium is an information-stealing tool that targets passwords, credit card information, cookies, cryptocurrency wallets, and more. Unfortunately, it's widely available, which means that it could be used in new ways in the future.

Read more
Malware has a terrible new way to get to your computer
A villager looks at a sunset.

You've heard of malware spreading through spammy emails and mysterious links on strange websites. But now there's a new avenue of attack for bad actors to take -- and it's via Minecraft. Yes, you read it correctly. The open-world building game loved by seven-year-olds around the globe is quickly becoming a favorite method for spreading malware.

As reported by Bleeping Computer, Kaspersky Labs researched the phenomena from July 2021 until July 2022, and it found that in-game malware accounted for a significant amount of the malware that was spread in that time. Although there was a 30% drop in malware attacks in that year when compared to 2020, the amount of gaming-related malware actually increased. Minecraft on PC was the preferred vector.

Read more