In more recent years, researchers found additional UEFI rootkits such as MosaicRegressor, FinSpy, ESpecter, and MoonBounce.Īs for CosmicStrand, it's a very potent malware that's less than 100 kilobytes in size. However, the UEFI implant has been used in the wild since late 2016, which raises the possibility that this type of infection is more common than previously assumed.īack in 2017, security firm Qihoo360 discovered what could have been an early variant of CosmicStrand. So far, it appears only Windows systems in countries like Russia, China, Iran, and Vietnam have been compromised. Anything else would leave your computer in an infected state. This means that removing CosmicStrand requires special tools to reimage the flash chip while the PC is powered off. UEFI is essentially a small operating system that lives inside a non-volatile memory chip, usually soldered on the motherboard. Simply wiping the storage in your PC won't remove the infection, and neither will replacing storage devices altogether.
Firmware rootkits are also harder to detect and pave the way for hackers to install additional malware on a target system.
Since UEFI firmware is the first piece of code that runs when you turn a computer on, this makes CosmicStrand particularly hard to remove compared to other types of malware. Researchers explain that the rootkit was discovered in firmware images of several Asus and Gigabyte motherboards equipped with an Intel H81 chipset, one of the longest-living Haswell-era chipsets that was finally discontinued in 2020.
This week, Kaspersky researchers revealed a new firmware rootkit dubbed "CosmicStrand," which is believed to be the work of an unknown group of Chinese malicious actors. This type of persistent threat used to be the subject of theoretical discussions among security researchers, but over the past years, it's become clear that it's a lot more common than previously thought, despite being relatively hard to develop. In context: Security firm ESET discovered the first UEFI rootkit that had been used in the wild back in 2018.