It is a fact that malware developers are always looking for alternative ways to infiltrate their victims’ computers. Therefore, it is not surprising that Kaspersky has detected the existence of malware capable of surviving a Windows reinstall or a hard drive change.
How do you do it? Lodging in the motherboard firmware of infected PCs. According to the computer security firm, the malware in question is called CosmicStrand and traces have been detected that would link its authorship with Chinese hackers. By infecting the UEFI from a motherboardthe rootkit is capable of executing malicious processes from the booting of the operating system.
This represents a great danger for the affected computers, since it implies that the malware can connect to a server controlled by cybercriminals and install more malicious componentsbehind the users’ backs.
The “good news” is that the detected cases seem to be focused on very specific territories and, for now, far from the West. Kaspersky mentions that so far it has only been found on computers in Russia, China, Iran and Vietnam. And the other notorious point is that the infections have been registered on computers with components that are not the latest generation. Specifically, on Gigabyte and ASUS motherboards with the H81 chipset.
How did affected PCs get infected by this malware?
According to Kaspersky’s analysis, the computers infected by CosmicStrand belonged to private users, not companies or organizations. But what is truly striking is that there are no details on how the malware may have reached these computers. Still, the researchers are following up on a couple of pretty strong leads.
The firmware of the analyzed motherboards showed that the modifications to it were made through an automatic patch. This allowed “extract it, modify it and overwrite it”they indicated.
Therefore, specialists believe that there are two possible routes of infection. One, through pre-existing malware on computers; the other is that hackers have physical access to computers. The second case seems somewhat less feasible, but other security experts believe that the malicious software could be implanted in motherboards secondhand.
Kaspersky maintains that CosmicStrand is a sophisticated rootkit, but that doesn’t necessarily mean it’s new. Older versions of the malware have been detected dating back to 2016 or 2017, while the most current active variant would date from 2020.
The big question is how to remove malware from an infected PC, if reinstalling Windows or changing the hard drive is not enough. As explained to PCMag, there are some options, although they are not the most comfortable. The first, re-flash motherboard firmware; this is something that many manufacturers show you how to do, although it is primarily a task for advanced users or IT technicians. The second is somewhat more extreme, since it entails change the motherboard for a new or more modern.
Kaspersky has published the results in detail about their research into this malware, to understand how it works and how it manages to get around the technical hurdles of running before Windows is loaded into the PC’s memory.