Threat Research

Supply Chain Risk from Gigabyte App Center Backdoor – Eclypsium | Supply Chain Security for the Modern Enterprise

Securonix

Eclypsium reveals a backdoor-like risk in Gigabyte’s app center firmware where a Windows native executable is dropped into UEFI and executed at startup, enabling further payloads to be downloaded and run. The disclosure underscores supply-chain and local-environment attack surfaces and provides mitigations, including firmware updates and disabling insecure update features. #Gigabyte #Eclypsium #LoJax #MosaicRegressor #Vector-EDK #Sednit #APT28

Keypoints

  • Firmware in Gigabyte systems drops a Windows native executable during system boot and installs it via WPBT for execution at startup.
  • The dropped executable downloads and executes additional payloads from remote locations, using HTTP/HTTPS with weak or absent cryptographic validation.
  • Affected models have expanded from 271 to 406 according to Eclypsium’s monitoring updates.
  • The backdoor behavior resembles classic OEM backdoors and firmware implants (e.g., Computrace/LoJack, LoJax, MosaicRegressor, Vector-EDK) and can persist across reboots.
  • Risks include supply-chain compromise, local environment compromise, and firmware-based persistence.
  • Defensive recommendations include firmware updates, disabling the APP Center Download & Install feature, and blocking specific update URLs.

MITRE Techniques

  • [T1542.001] Modify BIOS/UEFI – The UEFI firmware loads an embedded Windows executable into memory and installs it into a WPBT ACPI table for execution at Windows startup. “During the Driver Execution Environment (DXE) phase of the UEFI firmware boot process, the “WpbtDxe.efi” firmware module uses the above GUID to load the embedded Windows executable into memory, installing it into a WPBT ACPI table which will later be loaded and executed by the Windows Session Manager Subsystem (smss.exe) upon Windows startup.”
  • [T1543.003] Windows Service – The dropped executable writes to %SystemRoot%system32GigabyteUpdateService.exe and “sets registry entries to run this executable as a Windows Service.”
  • [T1105] Ingress Tool Transfer – The .NET payload downloads and runs an executable from remote locations (e.g., http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4 and related HTTPS variants). “The dropped Windows executable is a .NET application. It downloads and runs an executable payload from one of the following locations …”
  • [T1195] Supply Chain Compromise – The analysis discusses risks in the OEM update infrastructure and broader supply chain implications, noting prior breaches and persistent firmware-level backdoors. “Compromise in the supply chain … In August 2021, Gigabyte experienced a breach of critical data …”

Indicators of Compromise

  • [File Hash] 8ccbee6f7858ac6b92ce23594c9e2563ebcef59414b5ac13ebebde0c715971b2.bin – Stage 1 Windows native binary embedded in UEFI firmware.
  • [GUID] AEB1671D-019C-4B3B-BA-00-35-A2-E6-28-04-36. – GUID used by the UEFI module to load the embedded executable.
  • [File Path] %SystemRoot%system32GigabyteUpdateService.exe – Location where the Windows binary writes to disk.
  • [URL] http://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4, https://mb.download.gigabyte.com/FileList/Swhttp/LiveUpdate4 – Remote payload download locations.
  • [URL] https://software-nas/Swhttp/LiveUpdate4 – Alternative remote location.

Read more: https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/