Malware Which Can Survive OS Reinstalls Discovered On Asus, Gigabyte Motherboards

The malware was found focusing on earlier H81 mainboards and appears to have been about since approximately 2016, according to antivirus seller Kaspersky.

Specialists have uncovered malware that has been covertly affecting computers containing Asus and Gigabyte motherboards for at minimum six years.

Since 2016, Chinese-speaking hackers have been accessing units with the CosmicStrand malware, according to a document by Bleeping Computer.

A malware strain capable of withstanding OS reinstalls has been secretly infiltrating older motherboards from Asus and Gigabyte, according to antivirus service provider Kaspersky.

The malware, dubbed CosmicStrand, is devised to taint the mainboard's UEFI (Unified Extensible Firmware Interface), so that it can continue to persist on a Windows computer, whether or not the storage drive is taken out.

On Monday, Kaspersky said it found CosmicStrand spreading on Windows laptop computers in China, Vietnam, Iran and Russia. All the targets were utilizing Kaspersky's free antivirus software, so they were probably private men and women.

The company's investigation discovered that CosmicStrand was found on firmware images for older Asus and Gigabyte motherboards that use the H81 chipset, which in turn originally debuted in 2013, but has since been actually retired.

By tainting the mainboard's UEFI, CosmicStrand can execute malicious course of actions right when the PC starts. This can cause the machine accessing a malicious piece from a hacker-controlled server and installing it within the Windows OS.

Kapersky said that sadly, we were not able to obtain a copy of data emerging from the C2 (command and control) server. But the company did find confirmation the creators of CosmicStrand were endeavoring to remotely take hostage the infected machines.

Kaspersky also isn't sure how CosmicStrand is finishing up on the victim computers. However it's plausible it arrived through another malware strain presently on the system, or via the hackers getting physical access to the hardware.

Kaspersky additionally atated that considering the multiple firmware images we had the chance to obtain, they evaluate that the alterations may have been executed with an automated patcher. If so, it would undoubtedly follow that the aggressors had previous access to the victim's desktop computer for them to extract, modify and overwrite the motherboard's firmware.

CosmicStrand isn't the first UEFI-based malware; throughout the years, the antivirus profession has found several additional strains. However, CosmicStrand appears to have lurked under the radar for a number of years. Kaspersky's probe discovered one sample of the malware was interacting to a hacker-controlled server that first appeared in Dec. 2016. Another specimen was found connecting to a distinct hacker-controlled server in 2020.

The servers the malware samples were communication to.

On top of that, Kaspersky indicated that the Chinese antivirus service provider Qihoo 360 also uncovered a very early version of CosmicStrand back in 2017, affecting an Asus B85M motherboard.

In a document Kaspersky additionally said that Qihoo's initial report indicates that a customer may well have obtained a backdoored mainboard soon after making an order at a pre-owned reseller. We were not able to validate this information.

The provider at the moment thinks Chinese hackers produced CosmicStrand, citing how its computer code matches with various other malware related to Chinese-language hackers.

Kaspersky product lines will detect this threat and stop it from performing it appropriately, rendering it harmless however it is unsure if there may be a firmware disinfection as there would be a risk of damaging the individual's computer.

The only way to extract the infection once and for all is to re-flash the firmware of the mainboard, a fragile operation that may be performed via the BIOS this is for advanced users only or making use of utilities supplied by the hardware supplier. The exceptional alternative way of getting rid of this infection would be to replace the computer's motherboard and to then reinstall Microsoft windows.