skip to Main Content

Cybercrime, CosmicStrand now hides in modified UEFI

CosmicStrand now hides in modified UEFI. Kasperky cybersecurity esperts: The malware, a rootkit, downloads a malicious program at operating system startup, which performs the tasks set by the attackers

There is a new version of the CosmicStrand rootkit on the wild. This has been discovered by Kaspersky cybersecurity experts, who found the malware in modified UEFI (Unified Extensible Firmware Interface) firmware, the code that loads first and initiates the OS boot process when the computer is turned on. The main purpose of CosmicStrand is to download a malicious program at operating system startup, which then performs the tasks set by the attackers. Having successfully passed through all stages of the OS boot process, the rootkit eventually runs a shell code and contacts the attackers’ C2 server, from which it receives a malicious payload. The cybercrime operation is attributed to an unknown Chinese-speaking threat actor. Researchers believe there are two older variants of the malware, the first one active between 2016-2017.

Back To Top