Your motherboard could be infected with some seriously sneaky malware

A white padlock on a dark digital background.
(Image credit:

Cybersecurity researchers from Qihoo360 and Kaspersky have warned some older motherboards could be infected with uniquely sneaky malware

Motherboard malware, persistent threats usually known as UEFI rootkits, are particularly difficult to remove, as even wiping the hard drive doesn’t eliminate the threat. 

This instance, which Qihoo360 dubbed Spy Shadow Trojan, and Kaspersky named CosmicStrand, was found on machines with ASUS and Gigabyte motherboards. These were mostly discontinued hardware, produced between 2013 and 2015, with Kaspersky noting UEFI firmware rootkit can persist on devices for as long as they are operational.

Difficult compromise to pull off

Explaining the findings via Twitter, former Kaspersky reverse engineer Mark Lechtik said the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process, BleepingComputer reported.

“This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” Lechtik said.

What the researchers don’t know yet is how the malware made it onto the devices, as compromising the endpoints with UEFI malware involves either having physical access to the devices or having precursor malware that would be able to automatically patch the firmware image.

In Qihoo360’s case, a victim said they had bought an already compromised, used motherboard, from the Internet. Among the victims that Kaspersky analyzed were private individuals in China, Iran, Vietnam, and Russia, that had almost nothing in common.

It is hard to determine who the threat actor is, although Kaspersky believes the same group is behind the MyKings cryptomining botnet. 

Although more difficult to pull off, UEFI malware is becoming more common. In October last year, for example, cybersecurity researchers from ESET discovered such malware and dubbed it ESPecter. Back then, the researchers claimed this threat was active since at least 2012 and was used mostly for espionage, as it was capable of keylogging and stealing documents. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.