A UEFI firmware bootkit in the wild by Ivan Kwiatkowski | Nullcon Goa 2022

Abstract : --------------- Despite the advanced capabilities they provide, low-level implants such as bootkits and rootkits are only deployed by the most sophisticated attackers due to the risk they pose to the victim system’s stability. In recent years, Kaspersky has however observed a number of new low-level malware, such as MosaicRegressor, MoonBounce, and the object of this talk, CosmicStrand. CosmicStrand is a UEFI firmware bootkit that hides in select Asus and Gigabyte motherboards in order to provide persistence so deep that it would survive a Windows reinstallation. CosmicStrand starts execution when the victim machine is powered on, and propagates a malicious component up to the Windows kernel, where it injects a shellcode tasked with downloading further malware from a C2 server. This talk presents the inner workings of the rootkit, but also delves into its mysterious history. The variants we discovered appeared between 2016 and 2020, with year-long gaps in the middle during which the corresponding infrastructure appears to have been inactive. We also study the interesting code similarities between CosmicStrand and the MyKings botnet, which is linked with the Chinese-speaking cybercrime ecosystem. #rootkit #bootkit #UEFI #Firmware #NullconGoa2022 #Nullcon ----------------------------------------------------------------------------------------------- Follow nullcon on Facebook:   / nullcon   Twitter:   / nullcon   LinkedIn:   / nullcon   Website: https://nullcon.net