Explore the intricacies of CosmicStrand, a sophisticated UEFI firmware bootkit, in this 46-minute conference talk from Nullcon Goa 2022. Delve into the inner workings of this low-level implant that targets specific Asus and Gigabyte motherboards, providing persistence that survives even Windows reinstallation. Discover how CosmicStrand operates from system power-on, propagating malicious components to the Windows kernel and injecting shellcode for further malware downloads. Examine its mysterious history, including variants from 2016 to 2020, and explore code similarities with the MyKings botnet. Gain insights into the bootkit's prevalence, functionality, and potential attack scenarios. Learn about the EFI driver, attacker code, boot manager modifications, and the process of transferring to the kernel. Understand the implications for victims, identify potential threat actors, and discover methods for disinfection in this comprehensive analysis of advanced firmware-level malware.
Overview
Syllabus
Introduction
Definitions
Past examples
Prevalence
How it works
EFI driver
Attacker code
Modifying the boot manager
OSL Arc Transfer to Kernel
ZW Create section
Patch Guard
Shell Code Loader
User Mode Components
C2 Servers
Timeline
Possible attack scenario
Victims
Threat actors
How to disinfect
Conclusion
Taught by
nullcon
