Windows PCs from ASUS and Gigabyte are being impacted by the "CosmicStrand" UEFI Rootkit

Currently, systems from ASUS and Gigabyte are affected

Windows PCs from ASUS and Gigabyte are being impacted by the

Kaspersky uncovers the "CosmicStrand" UEFI malware, and it can stay with you after Windows re-installs

Researchers as Kaspersky have uncovered a new rootkit that called "CosmicStrand" that is has found its way onto Windows PCs in China, Iran, Vietnam, and Russia. The rootkit has been classified as a "advanced persistent threat" (APT) due to its ability to re-install itself onto systems after a fresh Windows install, thanks to its ability to install itself on your motherboard's UEFI. 

This new malware is a new variant of "Spy Dragon Trojan", which first infected systems back in 2016/2017. So far, Kaspersky has only found that Windows PCs are affected by this new malware, and that the rootkit has been found on systems made by ASUS and Gigabyte. The only way to clean a system that's infected by this malware is to re-install your motherboard's UEFI. No number of new Windows installs will remove this malware from your system, as fresh Windows installs would simply become re-infected. 

Currently, Kaspersky has been unable to identify the source of this new rootkit, or how the rootkit made its way onto infected systems in the first place. Kaspersky recommends that businesses regularly update the firmware of their systems and to only use firmware from trusted vendors to prevent their systems from being affected by this threat. That said, the rootkit has reportedly only affected private individuals in affected nations, not companies or organisations.

Below is a comment from Kaspersky's Ivan Kwiatkowski, a senior security researcher.

    Despite being recently discovered, the CosmicStrand UEFI firmware rootkit seems to have been being deployed for quite a long time. This indicates that some threat actors have had very advanced capabilities that they’ve managed to keep under the radar. We are left to wonder what new tools they have created in the meantime that we have yet to discover.

Windows PCs from ASUS and Gigabyte are being impacted by the

Right now, CosmicStrand has only been found on systems in China, Vietnam, Iran, and Russia, which means that CosmicStrand has not made in it onto western systems.

You can join the discussion on CosmicStrand on the OC3D Forums.

«Prev 1 Next»

Most Recent Comments

28-07-2022, 05:09:42

So even removing the battery doesn't clean this trash up? Can someone explain this? I would've guessed that the battery keeps the current settings and if it's empty or removed, a default setup will be loaded. So these rootkits can install themselves even into these default setup routines?! Really 2Spooky4Me.Quote

28-07-2022, 08:30:08

This is irrelevant. As per article, it was a targeted attack against some private individuals. It's not something that's meant to infect every machine. Which also means that it most likely wasn't downloaded, but installed on site or prior to whoever purchased the motherboard/PC.

Targeted attacks like this have CIA written all over. And when you see the list of countries where they were found, it's obvious that they're behind it.

And if it's CIA, then it is also very likely that ASUS and Gigabyte know about it and that they assisted them in some way. Just throwing that out there.Quote

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.