Skip to content

Malware Targeting Older Motherboards From ASUS And Gigabyte

Malware-Targeting-Older-Motherboards-From-ASUS-And-Gigabyte

A new form of malware has been discovered in older motherboards from ASUS and Gigabyte but it’s not that simple

A “malware strain” that can “survive OS reinstalls” and has been “infiltrating older motherboards from ASUS and Gigabyte” has recently been uncovered by antivirus company Kaspersky.

The malware, which is a type of rootkit that lurks in the motherboard’s UEFI, is still active even after the host hard drive or SSD has been erased or replaced.

The malware, known as “cosmicStrand,” is said to be a development of an older strain known as Spy Shadow Trojan, which was first identified in 2016. The CosmicStrand malware was discovered by the researchers in the firmware of Asus and Gigabyte motherboards.

The motherboards of the infected systems were based on the old H81 chipsets which were introduced in 2013 but have since been discontinued. To upgrade or patch the firmware and inject the CosmicStrand malware, an attacker would also require access to the system or to install another piece of malware.

Kaspersky explained:

“Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer to extract, modify and overwrite the motherboard’s firmware”.

Kaspersky logo

Therefore, if you’re reading this, don’t assume that your system has been compromised or that Asus or Gigabyte systems have been insecure for years. It’s probable that CosmicStrand can only exploit a potential H81 UEFI vulnerability for the time being.

A series of hooks that the malware sets up give Windows kernel access, eventually causing the infected OS to retrieve a payload that will run on the victim’s computer.

The payload itself was not retrievable by the Kaspersky engineers, but they think the malware has code patterns with a Chinese organization that created the MyKings crypto mining botnet.

Kaspersky also stated:

“the multiple rootkits discovered so far evidence a blind spot in our industry that needs to be addressed sooner rather than later.”

This suggests a problem that has to be solved because it might develop into a significant issue in the future. Despite the fact that the threat is currently minimal.