Skip to main content

This malware infects your motherboard and is almost impossible to remove

Researchers have discovered malware that has been secretly infecting systems featuring Asus and Gigabyte motherboards for at least six years.

Since 2016, Chinese-speaking hackers have been infiltrating machines with the CosmicStrand malware, according to a report from Bleeping Computer.

A digital encrypted lock with data multilayers.
Getty Images

Notably, once the malicious code has been distributed, it remains largely undetected within the firmware images for certain motherboards. This particular method of targeting firmware images is classified as a Unified Extensible Firmware Interface (UEFI) rootkit.

Recommended Videos

The strain was named CosmicStrand by researchers working for cybersecurity firm Kaspersky. However, a previous version of the malware — dubbed Spy Shadow Trojan — was initially uncovered by analysts at Qihoo360.

For reference, UEFI is an important application that attaches an operating system with the firmware of the hardware itself. As such, UEFI code is what runs when a computer initially starts up, even before any security measures of the system.

As a result, malware that has been placed in the UEFI firmware image is extremely effective in evading detection measures. More worryingly, however, is the fact that the malware can’t technically be removed by operating a clean reinstall of the operating system. You can’t even get rid of it by replacing the storage drive.

“This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” said Mark Lechtik, who previously worked as a Kaspersky reverse engineer.

Kaspersky said it found that the CosmicStrand UEFI rootkit was discovered within the firmware images of Gigabyte or Asus motherboards utilizing the H81 chipset, which is associated with hardware sold between 2013 to 2015.

Computer motherboard stock photo
Fancycrave.com/Pexels

CosmicStrand victims were private individuals located within China, Iran, Vietnam, and Russia, and thus links to a nation state, organization, or industry could not be established. That said, researchers confirmed a CosmicStrand link to a Chinese-speaking threat actor due to code patterns that made an appearance in a separate cryptomining botnet.

Kaspersky stressed that the CosmicStrand UEFI firmware rootkit can more or less remain on an infected system forever.

UEFI malware was first reported on in 2018 by another online security company, ESET. Known as LoJax, it was used by Russian hackers who belonged to the APT28 group. Since then, the amount of UEFI-based rootkits infecting systems has steadily increased, which includes ESPecter — a kit that is said to have been deployed for espionage purposes since 2012.

Elsewhere, security analysts said it detected “the most advanced” UEFI firmware earlier this year in the form of MoonBounce.

It’s been a busy year for groups and hackers involved in the malware community. Most recently, threat actors have managed to use Microsoft Calculator to distribute malicious code, while Microsoft itself launched a new initiative where it offers businesses access to its internal security services.

Please enable Javascript to view this content

Zak Islam
Former Digital Trends Contributor
Zak Islam was a freelance writer at Digital Trends covering the latest news in the technology world, particularly the…
It’s time to stop ignoring your motherboard when building a PC
An Asus TUF Gaming Z790 BTF motherboard with hidden connectors, shown from the front.

The motherboard is the spine of your computer, but despite how important it is, it often becomes an afterthought. It's easy to overlook when there are shinier, more exciting components to spend money on, such as a top-notch graphics card.

Buying a motherboard can be a tricky process, because, on the surface, they all seem to do the same thing -- and if they all do the same thing, why should you spend more money on one? There are actually several good reasons to shell out some cash on a midrange to high-end motherboard, and you should be aware of them before you work on your next PC build.
Slots and ports

Read more
Bing Chat’s ads are sending users to dangerous malware sites
Bing Chat shown on a laptop.

Since it launched, Microsoft’s Bing Chat has been generating headlines left, right, and center -- and not all of them have been positive. Now, there’s a new headache for the artificial intelligence (AI) chatbot, as it’s been found it has a tendency to send you to malware websites that can infect your PC.

The discovery was made by antivirus firm Malwarebytes, which discussed the incident in a blog post. According to the company, Bing Chat is displaying malware advertisements that send users to malicious websites instead of filtering them out.

Read more
Update your Apple devices now to fix these dangerous exploits
A person using a laptop with a set of code seen on the display.

If you’re an Apple user -- whether you have a Mac, an iPhone, an iPad, or an Apple Watch -- you need to update your devices as soon as possible. That’s because Apple has discovered three actively exploited vulnerabilities that could cause your devices serious harm, and the patches are already out to fix them.

One of the bugs was found in Apple’s Security framework and would allow a malicious app to completely bypass a device’s signature validation. Another bug concerns the WebKit browser engine and could grant a threat actor the ability to run arbitrary code when a victim views a certain web page.

Read more