Malware That Can Survive OS Reinstalls Found On Asus, Gigabyte Motherboards
A new malware strain capable of surviving OS reinstalls has been secretly infiltrating older motherboards from Asus and Gigabyte, according to antivirus vendor Kaspersky.
The malware, dubbed CosmicStrand, is designed to infect the motherboard’s UEFI (Unified Extensible Firmware Interface), so that it can persist on a Windows machine, even if the storage drive is removed.
On Monday, Kaspersky said it uncovered CosmicStrand circulating on Windows computers in China, Vietnam, Iran and Russia. All the victims were using Kaspersky’s free antivirus software, so they were likely private individuals.
The company’s investigation(Opens in a new window) found that CosmicStrand was located on firmware images for older Asus and Gigabyte motherboards that used the H81(Opens in a new window) chipset, which originally launched in 2013, but has since been discontinued.
By infecting the motherboard's UEFI, CosmicStrand can execute malicious processes right when the PC boots up. This can result in the machine retrieving a malicious component from a hacker-controlled server and installing it inside the Windows OS.
“Unfortunately, we were not able to obtain a copy of data coming from the C2 (command and control) server,” Kaspersky said. But the company did find evidence the makers of CosmicStrand were attempting to remotely hijack the infected machines.
Kaspersky also isn’t sure how CosmicStrand is ending up on the victim computers. But it's possible it arrived through another malware strain already on the system, or via the hackers gaining physical access to the hardware.
“Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would
Read more on pcmag.com
