How Hackers Sells Tool to Hide Malware in AMD, NVIDIA GPUs?

Cybercriminals are creating strides against attacks with malware that can run code from the Graphics Processing Unit (GPU) of a negotiated system. While the method is not advance and demo code has been now posted before, so far the projects arrive from the intellectual world or were not completed and unrefined.  

The Proof-Of-Concept (PoC) was sold on a hacker forum, in starting of this month, more probably marking attackers’ conversions to an advanced sophistication level for their adversaries.

Code Analyzed on AMD, Intel, and Nvidia GPUs       

Someone offered to sell the proof-of-concept (PoC) for a technique they say keeps malicious code secures from security solutions scanning the system RAM from a short post on a hacker forum. The seller provided only an overview of their method, stating that it utilizes the GPU memory buffer to preserve malicious code and to run it from there.

As per the advertiser, the project functions only on Windows systems that support versions 2.0 and above of the OpenCL framework for running code on different processors, GPUs included.

Below is the post which mentioned that the author tested the code on graphics cards from Intel (UHD 620/630), Radeon (RX 5700), and GeForce (GTX 740m (?), GTX 1650).

How-Hackers-Sells-Tool-to-Hide-Malware-in-AMD-NVIDIA-GPUs-image1

The briefing arrived on August 8, about two weeks later, on August 25, the seller reverted that they had sold the PoC without revealing the terms of the deal. Another attacker of the hacker forum showed that the GPU-based Trojan has been before, pointing to JellyFish – a six-year PoC for a Linux-based GPU rootkit.

In a tweet on Sunday, investigators at the VX-Underground threat repository stated that the malicious code allows the binary code execution by the GPU in its memory space. They also stated that they will demonstrate the tactics in the future.             

How-Hackers-Sells-Tool-to-Hide-Malware-in-AMD-NVIDIA-GPUs-image2

What is the Academic Research?     

The same investigations behind the Jelly-Fish rootkit also posted PoCs for a GPU-based keylogger and a GPU-based remote access malware for Windows. All three projects were posted in May 2015 and have been available publicly.

The seller refused the companies with the JellyFish malware saying that their ways are different and do not rely on code mapping back to userspace. There is no information about the deal, who bought it and how much they paid. Only the sellers post that they sold the malware to an unknown party.

While the reference to the JellyFish project suggests that GPU-based malware is a relatively advanced idea, the groundwork for this attack method has been set about eight years ago. In 2013, researchers the at Institute of Computer Science – Foundation for Research and Technology (FORTH) in Greece and Columbia University in New York showed that GPUs can host the operation of a keylogger and store the captured keystrokes in its memory space.

Previously, the investigators analyzed that malware authors can take advantage of the GPU’s computational power to pack the code with very complex encryption schemes much faster than the CPU.

Leave a Reply