Malicious code hidden in VRAM, undetectable by antiviruses
A new cyberhack featuring graphics card memory.
According to Bleeping Computer, cybercriminals have found a new way to hide malware in graphics cards memory. This method of utilizing graphics card memory instead of system memory is undetectable by the antivirus software, the original advertisement on hacking forums claims.
The malware uses graphics memory allocation space, from where the code is executed. The technology uses OpenCL 2.0 API on Windows operating system, no other systems are affected by the malicious code.
The hacker confirmed that the code has been tested on Intel UHD 620/630 graphics as well as Radeon RX 5700 GPU and GeForce GTX 740M and GTX 1650 discrete cards. It is unclear if other graphics cards are affected, but assuming that this method uses OpenCL 2.0, it is very likely to be compatible with other modern GPUs.
Using graphic memory to execute malicious code is not an entirely new topic. Back in 2015 researchers have demonstrated a proof of concept for a GPU-based keylogger and remote access trojans for Windows. The author of the new malware claims that his method is new and not associated with those methods.
Researchers from vx-underground will demonstrate the technique behind the new malware soon. They confirmed that the GPU executes malware binaries from within the GPU memory space.
Recently an unknown individual sold a malware technique to a group of Threat Actors.
This malcode allowed binaries to be executed by the GPU, and in GPU memory address space, rather the CPUs.
We will demonstrate this technique soon.
— vx-underground (@vxunderground) August 29, 2021