Malware Which Can Survive OS Reinstalls Seen On Asus, Gigabyte Mainboards

The malware was found targeting earlier H81 mainboards and feels to have been around since at least 2016, according to antivirus seller Kaspersky.
Analysts have uncovered malware that has been secretly affecting equipment containing Asus as well as Gigabyte mainboards for a minimum of 6 years.
Ever since 2016, Chinese-speaking hackers have been cracking machines with the CosmicStrand malware, according to a report by Bleeping Computer.
A malware strain capable of surviving OS reinstalls has been covertly infiltrating older mainboards from Asus and Gigabyte, according to antivirus service provider Kaspersky.
The malware, dubbed CosmicStrand, is developed to contaminate the mainboard’s UEFI (Unified Extensible Firmware Interface), to make sure that it can continue to persist on a Windows computer, despite the fact that the storage drive is extracted.
On Monday, Kaspersky said it unveiled CosmicStrand spreading on Windows laptop computers in China, Vietnam, Iran and Russia. All the victims were utilizing Kaspersky’s free antivirus software, so they were likely private men and women.
The provider’s probe found that CosmicStrand was identified on firmware images for earlier Asus and Gigabyte mainboards that made use of the H81 chipset, that originally launched in 2013, however has since been ended.
By infecting the motherboard’s UEFI, CosmicStrand can execute malicious operations right when the PC boots up. This can cause the machine accessing a malicious piece from a hacker-controlled server and setting it up inside the Windows OS.
Kapersky said that regrettably, we were unable to obtain a copy of data originating from the C2 (command and control) server. But the business did find proof the creators of CosmicStrand were attempting to remotely take hostage the infected devices.
Kaspersky likewise isn’t sure how CosmicStrand is ending up on the victim home computers. Yet it’s feasible it showed up through another malware strain already on the system, or through the hackers gaining physical access to the hardware.
Kaspersky additionally atated that considering the many firmware images we had the opportunity to obtain, they assess that the changes may have been carried out with an automated patcher. If so, it may follow that the attackers had previous access to the target’s home computer in order to extract, modify and overwrite the motherboard’s firmware.
CosmicStrand isn’t the first UEFI-based malware; over the years, the antivirus profession has found several other variants. But, CosmicStrand appears to have lain in wait under the radar for numerous years. Kaspersky’s inspection located one example of the malware was interacting to a hacker-controlled server that initially showed up in Dec. 2016. One other variant was found transmitting to a distinct hacker-controlled server in 2020.
The servers the malware samples were communication to.
Aside from that, Kaspersky specified that the Chinese antivirus provider Qihoo 360 also identified an early variant of CosmicStrand back in 2017, affecting an Asus B85M motherboard.
In an announcement Kaspersky additionally pointed out that Qihoo’s first report indicates that a customer might possibly have been given a backdoored motherboard soon after placing an order at a pre-owned reseller. We were unable to verify this facts.
The firm at the moment believes Chinese hackers developed CosmicStrand, citing how its computer code matches with various other malware associated with Chinese-language hackers.
Kaspersky product lines will identify this hazard and protect against it from performing it properly, making it harmless however it is unclear if there might be a firmware disinfection as there would be a possibility of damaging the consumer’s computer.
The only way to eliminate the infection permanently is to re-flash the firmware of the mainboard, a fragile procedure that may possibly be performed via the BIOS this is for experienced users only or applying utilities provided by the hardware provider. The extraordinary alternative way of removing this infection would be to change the computer’s motherboard and to then reinstall Microsoft windows.