Threat Research

CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit

Securonix

CosmicStrand is a sophisticated UEFI firmware rootkit attributed to a Chinese-speaking threat actor, designed to persist from the earliest boot stages and deploy kernel- and user-mode payloads. It achieves durable persistence by implanting in firmware (CSMCORE) and chaining through the boot process to reach Windows, where it fetches and executes additional components via a C2 server. #CosmicStrand #MyKings #erda158 #bokts

Keypoints

  • CosmicStrand targets firmware images from Gigabyte or ASUS motherboards using the H81 chipset, suggesting a shared pre-existing vulnerability in those designs.
  • The rootkit modifies the CSMCORE DXE driver and patches the boot process to redirect execution to attacker code during startup.
  • Multiple staged hooks are installed to pass malicious code down from the UEFI level into the Windows kernel and then into memory-resident components.
  • PatchGuard is targeted and disabled (KiFilterFiberContext modified) to ease kernel-level code execution.
  • The kernel shellcode eventually communicates with a C2 server (update.bokts[.]com) and downloads the final payload, often as stagers for executable payloads.
  • DNS and direct device-IO-based network traffic are used, including DNS lookups to 8.8.8.8 or 222.222.67.208 to reach C2s.
  • One observed user-mode payload creates a new local administrator account (aaaabbbb), indicating post-compromise persistence and privilege escalation.
  • Older CosmicStrand variants existed (2016–2017) with different C2 domains (erda158[.]top) and thread-targeting, showing a long-running capability lifecycle.

MITRE Techniques

  • [T1542.001] Modify BIOS/UEFI – UEFI rootkit persists across boots by embedding in firmware; “The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset.”
  • [T1179] Hooking – The malware sets up hooks in boot and OS components to intercept execution; “The workflow consists in setting hooks in succession, allowing the malicious code to persist until after the OS has started up.”
  • [T1574] Hijack Execution Flow – Attacker-supplied code is injected by patching boot/OS loader paths and adding hooks to redirect execution; “CosmicStrand then adds a hook at the very end of [OslArchTransferToKernel]”
  • [T1055] Process/Kernel Injection – Kernel-level code is inserted and a shellcode is mapped into kernel space; “the ZwCreateSection hook’s primary purpose is to collect the addresses of API functions … allocates a buffer in the kernel’s address space where it maps a shellcode.”
  • [T1562.001] Impair Defenses – Attempts to disable PatchGuard by modifying KiFilterFiberContext; “cosmicStrand also seemingly attempts to disable PatchGuard… modifies it so it returns without performing any work.”
  • [T1105] Ingress Tool Transfer – Downloads and loads the final payload from C2 after initial shellcode execution; “The reply is expected to return in one or several packets containing chunks … mapped into kernel space and interpreted as a shellcode.”
  • [T1071.004] Application Layer Protocol: DNS – DNS lookups used to reach C2 and download payloads; “DNS requests are performed … using Google’s DNS server (8.8.8[.]8) or a custom one (222.222.67[.]208).”
  • [T1136] Create Account – The in-memory payload creates a user and adds it to the local Administrators group; “it is linked with CosmicStrand … creates a user (‘aaaabbbb’) … and add it to the local administrators group.”
  • [T1547.001] Boot or Logon Autostart Execution – The chain is designed to deploy a kernel-level implant every time the system boots from an infected UEFI component; “The goal of this execution chain is to deploy a kernel-level implant into a Windows system every time it boots, starting from an infected UEFI component.”

Indicators of Compromise

  • [Domain] C2 domains – update.bokts[.]com, erda158[.]top
  • [IP] Related C2/IPs – 58.84.53[.]194, 115.239.210[.]27, 23.82.12[.]30, 23.82.12[.]31, 23.82.12[.]32
  • [DNS] DNS servers used for C2 lookups – 8.8.8[.]8 and 222.222.67[.]208
  • [File] EFI firmware artifact hashes – MD5: DDFE44F87FAC7DAEEB1B681DEA3300E9; SHA1: 9A7291FC90F56D8C46CC78397A6F36BB23C60F66; SHA256: 951F74882C1873BFE56E0BFF225E3CD5D8964AF4F7334182BC1BF0EC9E987A0A
  • [File] EFI DXE driver and GUID – “EFI Boot Service DXE Driver … GUID A062CF1F-8473-4AA3-8793-600BC4FFE9A8 (CSMCORE)”

Read more: https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/