Want to keep malicious code hidden from a PC’s antivirus software as it checks system RAM? Just hide it in the graphics card’s VRAM. A proof-of-concept tool that enables such a thing was recently sold online, which could spell bad news for Windows users.
Bleeping Computer writes that someone was offering to sell the PoC on a hacker forum recently. They didn’t reveal too many details about the tool, though they did note that it works by allocating address space in the GPU memory buffer to store malicious code and executes it from there.
The seller added that the code only works on Windows PCs that support OpenCL 2.0 or higher. They confirmed it works on AMD’s Radeon RX 5700 and Nvidia’s GeForce GTX 740M and GTX 1650 graphics cards. It also works with Intel’s UHD 620/630 integrated graphics.
The post advertising the tool hit the forum on August 8. About two weeks later (August 25), the seller revealed that they had sold the PoC to someone.
On August 29, research group Vx-underground tweeted that the malicious code enables binary execution by the GPU in its memory space. It will demonstrate the technique “soon.”
We have seen GPU-based malware in the past. The open-source Jellyfish attack, which you can find on GitHub, is a Linux-based GPU rootkit PoC that utilizes the LD_PRELOAD technique from OpenCL. The same researchers behind JellyFish also published PoCs for a GPU-based keylogger and a GPU-based remote access trojan for Windows.
“The key idea behind our approach is to monitor the system’s keyboard buffer directly from the GPU via DMA [direct memory access], without any hooks or modifications in the kernel’s code and data structures besides the page table,” the researchers of the 2013 keylogger wrote. “The evaluation of our prototype implementation shows that a GPU-based keylogger can effectively record all user keystrokes, store them in the memory space of the GPU, and even analyze the recorded data in-place, with negligible runtime overhead.”
Way back in 2011, a new malware threat was discovered that used GPUs to mine Bitcoin.
The seller of the recent PoC said their method differs from JellyFish as it does not rely on code mapping back to userspace.