UEFI Malware discovered in Gigabyte and Asus H81 motherboard firmware

(Image credit: Pixabay (Elchinator))

Researchers at cybersecurity company Kaspersky have discovered a new form of malware that resides in the motherboard's UEFI. The malware is a form of rootkit that remains present even after the host hard drive or SSD is wiped or replaced.

The Kaspersky engineers (via Bleeping Computer) named it CosmicStrand. It's reported to be an evolution of an earlier malware called Spy Shadow Trojan which was discovered as far back as 2016. The researchers found the CosmicStrand malware in the firmware of Asus and Gigabyte motherboards. Don’t panic though! I’ll explain.

The infected systems ran motherboards based on the H81 chipset, which dates back many years. An attacker would also need access to the system or need to install a different malware to update or patch the firmware to inject the CosmicStrand malware. So if you’re reading this, don’t think that Asus or Gigabyte systems have been insecure for all of these years or that your system is compromised. Until there is further research, it may be that CosmicStrand can only take advantage of a possible H81 UEFI vulnerability.

The malware sets up a series of hooks that allow Windows kernel access, eventually leading the infected OS to retrieve a payload that will execute on the victim’s machine. The Kaspersky engineers weren’t able to retrieve the payload itself, but they believe the malware shares code patterns with a Chinese group responsible for the MyKings crypto mining botnet. 

And that’s what this sort of thing is usually about: scumbags trying to steal or make money.

Your next upgrade

(Image credit: Future)

Best CPU for gaming: The top chips from Intel and AMD
Best gaming motherboard: The right boards
Best graphics card: Your perfect pixel-pusher awaits
Best SSD for gaming: Get into the game ahead of the rest

The UEFI, or Unified Extensible Firmware Interface, is almost like a mini OS. It's the interface between the hardware and software of the system, meaning it influences the OS and all of the software of the system. The UEFI is usually secure and it requires specific code knowledge. Hence, there are very few known UEFI threats.

Kaspersky’s report states "the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later."

So, while the threat is limited, it shines a spotlight on the need for the industry to pay close attention to possible vulnerabilities. The lure of a million infected machines covertly mining a crypto coin is a huge dangling carrot for a malicious actor.

Chris Szewczyk
Hardware Writer

Chris' gaming experiences go back to the mid-nineties when he conned his parents into buying an 'educational PC' that was conveniently overpowered to play Doom and Tie Fighter. He developed a love of extreme overclocking that destroyed his savings despite the cheaper hardware on offer via his job at a PC store. To afford more LN2 he began moonlighting as a reviewer for VR-Zone before jumping the fence to work for MSI Australia. Since then, he's gone back to journalism, enthusiastically reviewing the latest and greatest components for PC & Tech Authority, PC Powerplay and currently Australian Personal Computer magazine and PC Gamer. Chris still puts far too many hours into Borderlands 3, always striving to become a more efficient killer.