Even before UEFI had taken root in the home computer industry, a China-linked APT group had already created a Window-linked trojan

Unbeknownst to cyber experts, a 96.8KB piece of malicious code had been lurking in the UEFI firmware of well-known brands of computer motherboards since 2016. This was even when UEFI motherboards had not even saturated the market!

Then, in January this year, an espionage campaign by China-linked persistent threat group Winnti (APT41) had alerted cyber researchers to the existence of a kernel-level boot file, CSMCORE.EXE that could operate malware activities in Windows operating systems without being detected and remains persistent even if the operating system is rebooted or Windows is reinstalled.

According to Kaspersky, which sniffed out the UEFI firmware rootkit’s development, the hidden malware was used in attacks against private individuals in China, with rare cases in Vietnam, Iran and Russia.

While the end goal pursued by the China-linked attackers remains unknown, it was observed that affected victims were devices owned by individual users and not corporations. All of the attacked machines were Windows-based: every time a computer rebooted, a bit of malicious code would be executed after Windows started. Its purpose was to connect to a C2 (command-and-control) server and download an additional malicious executable.

Its name is ComicStrand
Researchers are unable to determine how the rootkit ended up on the infected machines in the first place, but unconfirmed accounts discovered online indicate that some users had received compromised devices while ordering ASUS and Gigabyte motherboards with the H81 chipset online.

According to Ivan Kwiatkowski, Senior Security Researcher, Kaspersky: “Despite being recently discovered, the CosmicStrand UEFI firmware rootkit seems to have been being deployed for quite a long time. This indicates that some threat actors have had very advanced capabilities that they’ve managed to keep under the radar. We are left to wonder what new tools they have created in the meantime that we have yet to discover.” 

To stay protected, the public is advised to deploy endpoint detection and response solutions that can detect suspicious firmware activity, and to source UEFI system BIOS updates only from trusted vendor websites..