Review of Cosmic Strand UEFI Root Kit

Authors

  • Chinmay Pandey
  • Sandeep Chitalkar

Keywords:

Attacks, Cosmic strand, Malware, Root kit, Virus

Abstract

Root kits are malware implants that hide in the most inaccessible parts of the operating system. Even though they appear quite appealing to any adversary on paper, crafting a root kit entails considerable technological obstacles and even the smallest programming error has the ability which may lead to entirely crash the target system. In Secure list APT predictions for 2022, it was mentioned that despite the risks and hurdles, secure list still expected increase in number of threat actors or adversaries to acquire the complexity and sophistication level required to develop such tools. One of the key features of malware that works within such low levels of any computer system is that it is stealthy. This stealth gives makes them difficult to detect, and when we consider firmware root kits, it will ensure that the target computer system will forever remain infected even if the owner makes any attempt to reinstall the existing operating system or if the machine's hard drive (or SSD in today’s generation) gets replaced altogether with a new storage unit. Root kits is an umbrella term and has five common types which are User-mode root kits, Kernel mode root kits, Boot-kits, Hypervisor level root kits, Firmware and Hardware root kits. According to MITRE, an adversary or a threat actor may use a root kit to hide the presence of something specific such as a program, a file, particular network connections, malicious services or other system components such as modified drivers as root kits hide the existence of malware by modifying operating system’s own API calls that may supply that information. MITRE also provided a notable example of LoJax UEFI root kit which was utilized by APT28 threat actor as a means of maintaining remote access on target systems. The aim of this review paper was to examine and review how a particular UEFI Firmware root kit known as Cosmic Strand behaves and what its mechanisms are. This rootkit’s family was first discovered by one of Secure List’s known as Qihoo360 and this partner published a Chinese blog about the early variant in 2017.

Published

2022-09-30

Issue

Section

Articles