As reported by Bleeping Computer, the malware executes via the GPU in its memory buffer, staying hidden from any security apps that could be watching the system RAM for signs of anything suspicious.
The proof-of-concept (PoC) threat has apparently been sold on a hacker forum to an unknown party, who will presumably be leveraging the code to make some kind of functional malware to release into the wild.
- These are the best firewall around today
- Here's the best malware removal software
- We'll show you how to build a PC
Multiple GPUs affected
The seller of the PoC explains that it works on Windows systems (with OpenCL 2.0 or better support), and has been tested across a small number of GPUs from all major manufacturers.
That means AMD, Intel and Nvidia graphics solutions, including the Nvidia GTX 1650 and AMD Radeon RX 5700, as well as Intel integrated graphics in CPUs (Intel UHD 620 and 630).
Note that integrated GPUs use system memory, of course, but there are still chunks of that set aside for the graphics system which can be used in the same way for stealthily hiding malware as the dedicated VRAM on-board a discrete video card.
Analysis: Worrying – but let’s not get carried away just yet
Before we start proclaiming panic stations in the GPU world, remember that nothing has actually come of this thus far. At the moment, this is just a report about a claimed PoC that hasn’t been turned into anything which might threaten your PC – not yet, anyway, but watch this space (or rather, watch that GPU memory space). The tool was supposedly sold on August 25, incidentally, just a week ago.
Furthermore, the idea of using the GPU to push malware onto a PC in this manner isn’t a new one. As Bleeping Computer observes, demo code for this kind of exploit leveraging graphics cards has been floating around before in the academic space, and we’ve even seen ‘JellyFish’, a PoC for a GPU rootkit aimed at Linux systems way back in 2015. Another hacker actually pointed out the latter in the forum where the new PoC was sold.
Still, even if this is nothing new as such, the author promises that their fresh creation isn’t anything to do with JellyFish, and that the method used here is ‘different and does not rely on code mapping back to userspace’.
In short, there are ominous rumblings here, then, that this does have the potential to develop into something worrying. And if it’s capable of affecting a range of GPUs as testing suggests – including the likes of Intel integrated graphics which have supposedly been proven to be affected – then that really is a concern. Most Windows PCs out there are laptops, after all, running Intel processors in the main.
- Check out the best Android antivirus apps for your phone