CosmicStrand: sophisticated firmware rootkit allows durable persistence

Kaspersky’s researchers have uncovered a rootkit developed by an advanced persistent threat (APT) actor that stays on the victim’s machine even if the operating system is rebooted or Windows is reinstalled – making it very dangerous in the long run. Dubbed “CosmicStrand,” this UEFI firmware rootkit was used majorly to attack private individuals in China, with rare cases in Vietnam, Iran and Russia.

The UEFI firmware is a critical component in the vast majority of hardware. Its code is responsible for booting up a device, launching the software component that loads the operating system. If the UEFI firmware is somehow modified to contain malicious code that code will be launched before the operating system, making its activity potentially invisible to security solutions and to the operating system’s defenses. This, and the fact that the firmware resides on a chip separate from the hard drive, makes attacks against UEFI firmware exceptionally evasive and persistent – because regardless of how many times the operating system is reinstalled, the malware will stay on the device.

Read more about it: here