A rootkit is one of the most dangerous types of malware that can infect your computer. In July 2022, Kaspersky discovered a rootkit that specifically targets UEFI firmware of the Gigabyte and Asus motherboards with Intel H81 Chipset. This rootkit, called CosmicStrand, could be a severe threat to your computer since Advanced Persistent Threats (ATP) actors are its developer.
They are notoriously famous for creating deadly threats to access and control computers and networks. Surprisingly, maximum CosmicStrand attacks have happened to local citizens of China, Russia, Vietnam, and Iran instead of business organizations.
What Is CosmicStrand, and What Does It Do?
CosmicStrand is a rootkit that gives attackers complete control of your computer without you knowing anything. It remains undetected by any type of traditional security measures after stealthily being installed on the UEFI firmware of your Windows device.
Apart from that, the CosmicStrand rootkit has the ability to remain hidden on the victim’s device even after the Windows operating system is re-installed or repaired. This ability makes it very dangerous and something you cannot take lightly.
This rootkit allows the attacker to do anything they want on your computer, including stealing sensitive information, installing other malware, and even taking over the entire system.
How Is CosmicStrand Installed on Computers?
According to the researcher at Kaspersky, the hackers were able to install the CosmicStrand on the victim’s firmware by making modifications to the CSMCORE DXE driver. This modification force the driver to run a series of codes on the system startup that triggers the download and installation of the CosmicStrand component.
By examining the infected firmware images, researchers discovered that the attackers made modifications in the CSMCORE DXE driver by getting prior access to the victim’s computer and overwriting the firmware to introduce the automated patcher. This automatic patcher is responsible for redirecting the entry point of the CSMCORE DXE driver to the malicious code stored in the executable’s RELOC file.
How Can You Protect Your System From CosmicStrand and Other Rootkits?
The best way to protect your system from CosmicStrand and other rootkits is to install a robust security solution that can detect and remove such threats.
You should also keep your operating system and all the software up-to-date with the latest security patches. This will help close any loopholes the attackers can use to get into your system. You should carry out the firmware updates and all other essential updates through official, reliable sources.
It is also essential to create regular backups of your data so that you can restore your system in case it gets infected with a rootkit or any other malware.
Other than that, it would be best if you also practice basic security measures like not clicking on unknown links or attachments, not downloading pirated software or content from untrustworthy websites, and not sharing your personal information with anyone. This will help you safeguard yourself from social engineering attacks.
Should You Be Worried About ComicStrand?
As of August 2022, there are very few instances of ComicStrand rootkit attacks. However, given the sophistication of the rootkit and its ability to remain hidden, we may see more attacks in the future. Also, so far, only specific motherboards from Gigabyte and Asus are on the target list of the ComicStrand, but it is possible that other motherboard manufacturers are at risk, too.
If you have a Gigabyte or Asus motherboard with an Intel H81 chipset, it is essential to check if your system is infected and if you detect the rootkit, take steps to remove it. You should also install a reliable security solution to protect your system from such threats in the future.
While the ComicStrand rootkit is not a widespread threat, it is crucial to be aware of it and take steps to protect your system.