Hacker sells tool for hiding malware inside graphics card VRAM

[midian182]

In a nutshell: Want to keep malicious code hidden from a PC's antivirus software as it checks system RAM? Just hide it in the graphics card's VRAM. A proof-of-concept tool that enables such a thing was recently sold online, which could spell bad news for Windows users.

Bleeping Computer writes that someone was offering to sell the PoC on a hacker forum recently. They didn't reveal too many details about the tool, though they did note that it works by allocating address space in the GPU memory buffer to store malicious code and executes it from there.

The seller added that the code only works on Windows PCs that support OpenCL 2.0 or higher. They confirmed it works on AMD's Radeon RX 5700 and Nvidia's GeForce GTX 740M and GTX 1650 graphics cards. It also works with Intel's UHD 620/630 integrated graphics.

The post advertising the tool hit the forum on August 8. About two weeks later (August 25), the seller revealed that they had sold the PoC to someone.

On August 29, research group Vx-underground tweeted that the malicious code enables binary execution by the GPU in its memory space. It will demonstrate the technique "soon."

Recently an unknown individual sold a malware technique to a group of Threat Actors.

This malcode allowed binaries to be executed by the GPU, and in GPU memory address space, rather the CPUs.

We will demonstrate this technique soon.

— vx-underground (@vxunderground) August 29, 2021

We have seen GPU-based malware in the past. The open-source Jellyfish attack, which you can find on GitHub, is a Linux-based GPU rootkit PoC that utilizes the LD_PRELOAD technique from OpenCL. The same researchers behind JellyFish also published PoCs for a GPU-based keylogger and a GPU-based remote access trojan for Windows.

"The key idea behind our approach is to monitor the system’s keyboard buffer directly from the GPU via DMA [direct memory access], without any hooks or modifications in the kernel's code and data structures besides the page table," the researchers of the 2013 keylogger wrote. "The evaluation of our prototype implementation shows that a GPU-based keylogger can effectively record all user keystrokes, store them in the memory space of the GPU, and even analyze the recorded data in-place, with negligible runtime overhead."

Way back in 2011, a new malware threat was discovered that used GPUs to mine Bitcoin.

The seller of the recent PoC said their method differs from JellyFish as it does not rely on code mapping back to userspace.

Permalink to story.

https://www.techspot.com/news/91053-hacker-sells-tool-hiding-malware-inside-graphics-card.html

 

[Uncle Al]

Nasty stuff .... wonder how long it will take the graphic card makers to come up with a way to search / repair this problem .....

 

[Theinsanegamer]

Nasty stuff .... wonder how long it will take the graphic card makers to come up with a way to search / repair this problem .....

If you mean "make sure it only destorys cards with GDDR5 memory to drive sales of new GPUs" then about 2 hours.

 

[BadThad]

SCUM! Death to haxors that figure this stuff out for malicious purposes! You must live an incredibly sad life to spend your time trying to figure out how to screw people. ABSOLUTELY PATHETIC!

 

[Lounds]

So if you turn your pc off, the code surely disappears as the memory is off and wiped.

Really clever but scary that code can interpret keyboard data to collect usernames and passwords.

 

[pcnthuziast]

Crime will always be a component of society and human nature. Criminals adapt as times change, but the motivations almost never do. If there is havoc to wreak or money to be made, they will find a way. Rather than fret, people should develop better habits and educate themsellves as to the importance of data security and ways to safegaurd their most crucial data. Sites like this should put more emphasis on writing articles outlining such practices to inform those who aren't as savy. Myself included, admittedly.

 

[psycros]

This was inevitable with the rise of crypto mining. Its pretty clear which login info the malware will be focusing on the most.

 

[Reehahs]

This hacker is probably the same person who likes their sauce to come from cans, microwaves mayonnaise, and puts fruit on pizza.

 

[Nestea]

So if you turn your pc off, the code surely disappears as the memory is off and wiped.

Really clever but scary that code can interpret keyboard data to collect usernames and passwords.

it supposedly executes in memory. so it probably can write itself into the vbios.

 

[Markoni35]

So if you turn your pc off, the code surely disappears as the memory is off and wiped.

Yes, to be safe from viruses keep your PC switched off at all times.

 

[Digital Shadow]

Nasty stuff .... wonder how long it will take the graphic card makers to come up with a way to search / repair this problem .....

That might depend upon whether or not one of them had the Virus written. When you look at the way Intel has been carrying on for years (before they were caught out) it is always feasible that companies are behind corrupt practices. Hell! The CIA has been doing it for years...just don't tell them I told you

 

[Digital Shadow]

Yes, to be safe from viruses keep your PC switched off at all times.

Funny as your comment comes across, it is actually very true for total Cyber safety! It seems that the famous quote of the 1960's, by Timothy Leary PhD celebrity etc. "Turn on, tune in, drop out." has become my quote of "Turn off, unplug, power down."

 

[Digital Shadow]

SCUM! Death to hackers that figure this stuff out for malicious purposes! You must live an incredibly sad life to spend your time trying to figure out how to screw people. ABSOLUTELY PATHETIC!

Black Hat Hackers who cause serious psychological harm to victims either through the use of virus's or scamming practices should have mandatory hard labour prison sentences of 30 years, with no possible parole status or getting off by working for NSA or CIA security agencies and the like (the latter are as immoral as the Black Hatters). Those who are behind Ransomware scams should get 50 years with no chance of parole and, those who cause deaths when hacking health systems and hospitals (as happened in some cases back in the early days of hacking) should be executed. Anyone who thinks I am being too harsh deserves to be hacked; as its soft twerp do goods, like them, that would let these people be released earlier and get back to their scumbag ways! All the other hackers should be heavily fined, spend their lifetimes in community service work and have a beating handed to them...and no letting off easy just because they might be female!