At a glance.

  • CosmicStrand UEFI rootkit.
  • Software supply-chain attack targets Ukrainian organizations.
  • Magecart campaign affects restaurants.

CosmicStrand UEFI rootkit.

Researchers at Kaspersky describe a new variant of a UEFI rootkit dubbed “CosmicStrand.” The malware has targeted victims in China, Vietnam, Iran, and Russia. Kaspersky notes that “all the victims in our user base appear to be private individuals (i.e., using the free version of our product) and we were unable to tie them to any organization or even industry vertical.” The researchers believe the malware was developed by a Chinese-speaking actor, but they don’t attribute it to any known group. Versions of the rootkit have been in use since at least 2016:

“The rootkit is located in the firmware images of Gigabyte or ASUS motherboards, and we noticed that all these images are related to designs using the H81 chipset. This suggests that a common vulnerability may exist that allowed the attackers to inject their rootkit into the firmware’s image.

“In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.”

“Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access (i.e., an evil maid attack scenario).”

Software supply-chain attack targets Ukrainian organizations.

Cisco Talos has observed a strain of malware dubbed “GoMet” that was used to target “a large software development company whose software is used in various state organizations within Ukraine.” The researchers note that this malware was used by sophisticated threat actors in two previous campaigns, but they haven’t observed any links to the current operation. The researchers assess “with moderate to high confidence that these actions are being conducted by Russian state-sponsored actors or those acting in their interests.” The threat actor in this instance has modified the publicly available GoMet malware:

“The backdoor itself is a rather simple piece of software written in the Go programming language. It contains nearly all the usual functions an attacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS) or architectures (amd64, arm, etc.). GoMet supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell. An additional notable feature of GoMet lies in its ability to daisy chain — whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers — connections from one implanted host to another. Such a feature could allow for communication out to the internet from otherwise completely ‘isolated’ hosts.

“This version was changed by malicious actors, in the original code, the cronjob is configured to be executed once every hour on the hour. In our samples, the cronjob is configured to run every two seconds. This change makes the sample slightly more noisy since it executes every two seconds, but also prevents an hour-long sleep if the connection fails which would allow for more aggressive reconnection to the C2.”

Magecart campaign affects restaurants.

Recorded Future describes a Magecart campaign that’s affected hundreds of restaurants using the online ordering platforms MenuDrive, Harbortouch, and InTouchPOS. At least 50,000 customers have had their personal and financial information stolen as a result:

“The online ordering platforms MenuDrive and Harbortouch were targeted by the same Magecart campaign, resulting in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch. This campaign likely began no later than January 18, 2022, and as of this report, a portion of the restaurants remained infected; however, the malicious domain used for the campaign (authorizen[.]net) has been blocked since May 26, 2022.

“The online platform InTouchPOS was targeted by a separate, unrelated Magecart campaign, resulting in e-skimmer infections on 157 restaurants using the platform. This campaign began no later than November 12, 2021, and as of this report, a portion of the restaurants remain infected and the malicious domains (bouncepilot[.]net and pinimg[.]org) remain active.”