Kaspersky have called the problem CosmicStrand but an earlier variant of the threat was discovered by malware analysts at Qihoo360, who named it Spy Shadow Trojan.
It is unclear how the threat actor managed to inject the rootkit into the firmware images of the target machines but researchers found the malware on machines with ASUS and Gigabyte motherboards.
The Unified Extensible Firmware Interface (UEFI) software is what connects a computer’s operating system with the firmware of the underlying hardware. UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions.
Kaspersky said that the infected UEFI component deploys a kernel-level implant into a Windows system at every boot.
The entire process consists of setting up hooks to modify the operating system loader and take control of the entire execution flow to launch the shellcode that fetches the payload from the command and control server.
Mandiant's Mark Lechtik, who was involved in the research, tweeted that the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process.
“This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” Lechtik wrote.
The Chinese researchers got to analyzing the implant after a victim reported that their computer had created a new account out of the blue and the antivirus software kept alerting of a malware infection.
According to their report, the compromised system ran on a second-hand ASUS motherboard that the owner had purchased from an online store.
Kaspersky was able to determine that the CosmicStrand UEFI rootkit was lodged in firmware images of Gigabyte or ASUS motherboards that have in common designs using the H81 chipset.
This refers to old hardware between 2013 to 2015 that is mostly discontinued today.