Threat actors discovered a method to hide and execute code from computer graphics cards to avoid detection.
Bleeping Computer reported that a threat actor on an underground hacker forum reportedly sold online a proof of concept (PoC) toolkit to hide and execute code inside the VRAM of graphics cards.
The toolkit allocates address space in the GPU memory buffer, allowing malware execution from the graphic card memory instead of RAM. This strategy prevents anti-virus software from detecting the malicious code when scanning the rest of the system.
The technology website discovered that the offer was made on August 8 and closed for an undisclosed amount by August 25.
Most graphics cards are vulnerable to malicious code execution
The hackers claimed that the malicious code can execute on common graphics cards, including AMD and Nvidia. Affected units include Intel’s integrated UHD 620/630, Radeon RX 5700, and Nvidia’s GeForce GTX 740M and GTX 1650 graphics cards. The malicious code could potentially execute on other graphics cards sold by these manufacturers.
“More and more computing professionals are using GPUs for extremely fast graphics processing and floating-point computations,” noted Saryu Nayyar, CEO at Gurucul. “Now the AMD and Nvidia GPUs have the ability to inject malware into the code they are processing. And there seems to be a thriving market for buying and selling such malware.
“We used to think that Intel-based PCs were at the greatest risk for attack, but today just about any processor or device can deliver malware to a system or network. Identifying that attack has become much more complex than in the past, and organizations need to rely on analytics-based methods for early identification and mitigation.”
Windows GPU-based malware different from JellyFish Linux rootkit
The threat actors said the toolkit was tested and works on graphics cards running on the Windows Operating system with OpenCL 2.0.
They also denied that their solution was related to a Linux-based GPU rootkit developed in 2015. The referenced JellyFish GPU-based malware exploits the LD_PRELOAD technique and is freely available on the online version control system GitHub.
The hacker noted that their malware was technically different from the GitHub variant because it does not depend on code mapping. However, the same group behind the open-source Jellyfish attack rootkit had also published a Windows-based GPU remote access trojan and a GPU-based keylogger.
Since the technical details of the new GPU malware were unavailable, it was difficult to determine how the two malicious code bases differed.
However, although functional GPU-based malware is very rare, the concept itself is hardly revolutionary. For example, researchers at Columbia University demonstrated how attackers could exploit graphics cards to conceal malicious code in the GPU and capture keystrokes. According to the researchers, the keylogger did not depend on rootkit-like techniques like hooking system-like functions and manipulating critical data structures. Instead, it monitored the host system’s keyboard buffer from the GPU.
One drawback of the GPU-based malware is locating the keyboard’s buffer because it is not exported in the kernel’s symbol table. Thus, it is not directly accessible through loadable modules. However, VX Underground, the largest malware collection site, promised to demonstrate soon how the malicious code could be executed from the GPU instead of the CPU.
Popularity of graphics cards expands attack surface
Notably, the increasing popularity of GPUs expands the attack surface that threat actors could exploit. However, the process of injecting the malware into graphics cards could be complex. It could involve advanced techniques like altering the graphic cards’ firmware through infected updates.
“While the point of entry into our systems, like the infected Solar Winds agents, is novel – the actual conduct of the hacks usually follows a pattern,” says Garret Grajek, CEO, YouAttest. “The hackers will try insert code into our systems to stay persistent, navigate though our enterprise, search for valuable data like PHI and PII and then communicate back to the hacker host.”
Sadly, the process of removing GPU malware isn’t a trivial undertaking. It could involve flashing the GPU firmware and reinstalling. Consequently, the chance of stopping GPU malware is by making code injection harder by incorporating robust anti-malware security checks into the GPU products.
“As nefarious as these newfound penetration methods are, we can still utilized establish points of security to mitigate these attacks at the various stages of the exploits. Key points are to look for new services, new communications to C2s (command and controls), new accounts, and escalated privileges of existing services. Attackers use existing and new identities and associated privileges to these identities to conduct their hacks – which is why identity access reviews and identity triggers are so important,” Grajek concluded.