Rootkits are malware implants which burrow themselves in the deepest corners of the operating system. Although on paper they may seem attractive to attackers, creating them poses significant technical challenges and the slightest programming error has the potential to completely crash the victim machine. In our APT predictions for 2022, we noted that despite these risks, we expected more attackers to reach the sophistication level required to develop such tools. One of the main draws towards malware nested in such low levels of the operating system is that it is extremely difficult to detect and, in the case of firmware rootkits, will ensure a computer remains in an infected state even if the operating system is reinstalled or the user replaces the machine’s hard drive entirely.
In this report, Kaspersky present a UEFI firmware rootkit that they called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. One of Kaspersky’s industry partners, Qihoo360, published a blog post about an early variant of this malware family in 2017.