Hackers may have found a way to store and execute malicious code on a graphics card, potentially allowing it to avoid detection by antivirus software. The code was also reportedly sold via a hacking forum, and so far we have no further indication of how dangerous the technique is.
Code that is not detected in GPU memory is probably very dangerous due to the potential difficulty associated with its removal, which could depend on the full flashing of the GPU, an already risky affair. However, the overall threat of the reported method will depend on what it takes to squeeze the code into GPU memory to begin with.
All we know about the technique, however, is what one hacker, who later allegedly sold it, said about it on a forum. This was later spotted and reported by Beeping computer.
The original forum post reads as follows:
“Sell the PoC [proof-of-concept] techniques that avoid AV detections from RAM scan. It allocates address space in the GPU buffer, inserts and executes code from there. “
The post goes on to explain that the technique only works on Windows machines that support OpenCL 2.0 or higher, an open standard used to speed up applications on GPUs. Additionally, the technique has been tested on Intel UHD 620, UHD 630, Radeon RX 5700, GeForce GTX 740M and GeForce GTX 1650 graphics cards.
The possibility that this technique would work on both AMD and Nvidia discrete GPUs alone would be quite worrying. However, the possibility that it would also run on Intel iGPUs would potentially open up a much larger percentage of PCs to the exploit.
As Bleeping Computer notes, VX-Underground, which bills itself as “the largest collection of malware source code, samples and articles on the Internet”, is aware of such a technique and will demonstrate it soon.
Recently, an unknown individual sold a malware technique to a group of threat actors. This malcode allowed binaries to be executed by the GPU, and in the GPU memory address space, rather than the CPUs. We will demonstrate this technique soon.August 29, 2021
This is not the first time that a GPU, and potentially OpenCL, has been used to execute malicious code. Various users are reporting a similar PoC called Jellyfish, which is a Linux-based GPU rootkit that works on both Nvidia and AMD GPUs and requires OpenCL drivers to function. This code has not been touched for six years, although its creators note that this GPU-based malware benefits from the lack of tools and software capable of detecting it.
Jellyfish and the latest technique would be different, however, at least according to the vendor of the potentially dangerous PoC.
It’s possible we’ll see new efforts to take advantage of GPU memory, or accelerators in general, given their importance in all kinds of machines today. That said, there’s no doubt in my mind that many exploits exist in computing at any given time, and as manufacturers struggle to plug the holes in their code, it’s equally important that you do your best. to protect your system.
Usually, that means not giving malicious actors a chance to download code to your system, after which they can usually cause all kinds of often undetected havoc.