Malware
87

CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit






  03-Aug-2022 23:42:17



The workflow consists in setting hooks[1] in succession, allowing the malicious code to persist until after the OS has started up. The steps involved are:
1. The initial infected firmware bootstraps the whole chain.
2. The malware sets up a malicious hook in the boot manager, allowing it to modify Windows’ kernel loader before it is executed.
3. By tampering with the OS loader, the attackers are able to set up another hook in a function of the Windows kernel.
4. When that function is later called during the normal start-up procedure of the OS, the malware takes control of the execution flow one last time.
5. It deploys a shellcode in memory and contacts the C2 server to retrieve the actual malicious payload to run on the victim’s machine.
UEFI implant – detailed analysis
MD5 : DDFE44F87FAC7DAEEB1B681DEA3300E9 (https://opentip.kaspersky.com/DDFE44F87FAC7DAEEB1B681DEA.../)
SHA1 : 9A7291FC90F56D8C46CC78397A6F36BB23C60F66
SHA256 : 951F74882C1873BFE56E0BFF225E3CD5D8964AF4F7334182BC1BF0EC9E987A0A
Link time : Wednesday, 12.08.2015 12:17:57 UTC
File type : EFI Boot Service DXE Driver
File size : 96.84 KB
GUID : A062CF1F-8473-4AA3-8793-600BC4FFE9A8 (CSMCORE)
Untuk victim dari CosmicStrand ini yaitu China, Vietnam, Iran dan Russia.
Kok bisa ada malware gitu di firmware motherboard? Diyakini sih kalo ini "Evil Maid Attack" yg jadi initial attack vectornya. Basically seseorang diantara manufaktur dan end user yang modif ini firmware, bisa jadi orang warehouse, bisa jadi third party reseller, ato bisa jadi company yg ngerakitnya.
Untuk mitigasinya ya jangan pernah nerima barang yg segelnya dh rusak kalo beli motherboard, bukan motherboard aja part lain PC juga sama.
====================================
[1] A hook is a modification to the normal flow of execution of a program. It aims to execute additional code provided by the attacker before or after a given function. In some environments, function hooking is provided for legitimate purposes and can be set up easily through conventional programming mechanisms. In other cases, where they are not explicitly supported, attackers can still achieve hooking by overwriting (and later on, restoring) the code that is about to be executed. Both cases are leveraged by this rootkit.
*Picture Credit to Mental Outlaw (https://www.youtube.com/c/MentalOutlaw)
Thanks to GReAT (Global Research & Analysis Team, Kaspersky Lab) for the (literally) great analysis

DISCUSSION


Login for comment and discussion.
Login Here
Sponsored

Oppss... No sponsors yet

Popular Posts
Complete Basic Course in Kali...
Djie sam soe Djie sam soe
Linux
12477
2
Top

Gps Tracker Seccodeid Free Too...
Djie sam soe Djie sam soe
General
7356
167
Top

Free Proxy List
Sandidi Sandidi
Networking
3163
3
Top

Mass Reverse IP Unlimited
ImamWawe ImamWawe
Tools Hacking
2566
12
Top

Xampp msyql error cant running
Karno si kribo Karno si kribo
Web Development
1769
25
Top

Related Post

Youtube Video

Subscribe