Your motherboard could be infected with some seriously sneaky malware

New UEFI malware discovered lurking in elderly ASUS and Gigabyte hardware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from Qihoo360 and Kaspersky have warned some older motherboards could be infected with uniquely sneakymalware.

Motherboardmalware, persistent threats usually known as UEFI rootkits, are particularly difficult to remove, as even wiping the hard drive doesn’t eliminate the threat.

This instance, which Qihoo360 dubbed Spy Shadow Trojan, and Kaspersky named CosmicStrand, was found on machines with ASUS and Gigabyte motherboards. These were mostly discontinued hardware, produced between 2013 and 2015, with Kaspersky noting UEFI firmware rootkit can persist on devices for as long as they are operational.

Difficult compromise to pull off

Explaining the findings via Twitter, former Kaspersky reverse engineer Mark Lechtik said the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process,BleepingComputerreported.

“This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” Lechtik said.

What the researchers don’t know yet is how the malware made it onto the devices, as compromising theendpointswith UEFI malware involves either having physical access to the devices or having precursor malware that would be able to automatically patch the firmware image.

This bootkit has been used to backdoor Windows devices for almost a decade>Intel, Lenovo and more hit by major BIOS security flaws>These are the best antivirus solutions around

In Qihoo360’s case, a victim said they had bought an already compromised, used motherboard, from the Internet. Among the victims that Kaspersky analyzed were private individuals in China, Iran, Vietnam, and Russia, that had almost nothing in common.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

It is hard to determine who the threat actor is, although Kaspersky believes the same group is behind the MyKings cryptomining botnet.

Although more difficult to pull off, UEFI malware is becoming more common. In October last year, for example, cybersecurity researchers from ESET discovered such malware and dubbed it ESPecter. Back then, the researchers claimed this threat was active since at least 2012 and was used mostly for espionage, as it was capable of keylogging and stealing documents.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call