Malware That Can Survive OS Reinstalls Discovered On Asus, Gigabyte Motherboards

The malware was found targeting earlier H81 mainboards and also seems to have been about since at the very least 2016, according to antivirus provider Kaspersky.
Research workers have found malware that has been secretly contaminating systems featuring Asus as well as Gigabyte mainboards for a minimum of six years.
Ever since 2016, Chinese-speaking hackers have been infiltrating units with the CosmicStrand malware, according to a study by Bleeping Computer.
A malware strain capable of withstanding OS reinstalls has been secretly infiltrating older mainboards from Asus and Gigabyte, according to antivirus service provider Kaspersky.
The malware, tagged CosmicStrand, is developed to infect the mainboard’s UEFI (Unified Extensible Firmware Interface), to ensure it can remain a problem on a Windows machine, even though the storage drive is taken away.
On Monday, Kaspersky said it found out about CosmicStrand spreading on Windows laptops in China, Vietnam, Iran and Russia. All the targets were utilizing Kaspersky’s free antivirus software, so they were most likely private folks.
The firm’s investigation found that CosmicStrand was found on firmware images for earlier Asus and Gigabyte motherboards that employed the H81 chipset, that initially debuted in 2013, but has since been actually stopped.
By contaminating the mainboard’s UEFI, CosmicStrand can carry out malicious activities right as the PC starts up. This can bring about the machine loading a malicious piece from a hacker-controlled server and setting it up inside the Windows OS.
Kapersky said that unfortunately, we were not able to obtain a copy of data originating from the C2 (command and control) server. But the business did find confirmation the developers of CosmicStrand were seeking to remotely hijack the infected devices.
Kaspersky additionally isn’t sure how CosmicStrand is ending up on the victim personal computers. However, it’s likely it got there through another malware strain previously on the computer, or through the hackers getting physical access to the hardware.
Kaspersky also atated that reviewing the various firmware images we had the chance to obtain, we evaluate that the alterations may have been carried out with an automated patcher. If so, it would definitely follow that the aggressors had prior access to the target’s home computer so as to extract, modify and overwrite the motherboard’s firmware.
CosmicStrand isn’t the first UEFI-based malware; throughout the years, the antivirus industry has found several other variants. However, CosmicStrand seems to have hidden under the radar for numerous years. Kaspersky’s inquiry located one specimen of the malware was connecting to a hacker-controlled server that initially showed up in Dec. 2016. Another variant was found transmitting to a separate hacker-controlled server in 2020.
The servers the malware examples were communication to.
Aside from that, Kaspersky indicated that the Chinese antivirus supplier Qihoo 360 also identified a very early version of CosmicStrand back in 2017, affecting an Asus B85M motherboard.
In an announcement Kaspersky in addition explained that Qihoo’s first report shows that a buyer may have been given a backdoored mainboard soon after making an order at a pre-owned reseller. We were unable to verify this information.
The service provider currently thinks Chinese hackers produced CosmicStrand, pointing out how its computer code resembles with various other malware associated with Chinese-language hackers.
Kaspersky products will discover this hazard and stop it from performing it appropriately, rendering it innocuous however it is uncertain if there may be a firmware disinfection as certainly there would be a possibility of ruining the end user’s equipment.
The only way to get rid of the infection completely is to re-flash the firmware of the mainboard, a fragile operation that may possibly be carried out via the BIOS this is for expert users only or utilizing utilities provided by the hardware provider. The exceptional alternative way of removing this infection would be to change the computer’s motherboard and to then reinstall Windows.



You May Also Like