Rakshasa is a proof of concept hardware malware backdoor that replaces a computer’s BIOS (Basic Input System) and enables the operating system to be compromised when the system is started without leaving a trace on the hard drive.
The Rakshasa malware replaces the motherboard BIOS, however, it can also infect the firmware of peripheral devices such as network cards or CD drives.
Rakshasa malware was created using open source software and replaces the vendor supplied BIOS with a combination of Coreboot and SeaBIOS, that work on a variety of motherboards from different manufacturers and writes an open source network boot named iPXE to the computer’s network card.
These components are modified by the Rakshasa malware so that they do not display anything to suggest infection during the boot process and the Coreboot application allows the original startup screen to be displayed of the original device.
Once the device has infected 2 devices within the computer, if one is updated and the malware removed the other device can allow the Rakshasa malware to be reinstalled on the other device.
Therefore, to remove the Rakshasa malware from the system, the device must be shutdown and each peripheral device reflashed with manufacturer’s software so that the malware is removed completely.
The Rakshasa malware was created to highlight that a hardware backdoor can be done somewhere in the supply chain before being delivered to an end user and that most computers, including Apple, are manufactured in China.
The Rakshasa malware can also be installed remotely by a third party user, however, if a physical process is involved in the reflashing of a device, such as moving a jumper, then this is not possible.
Malware often store the bootkit onto the hard drive and this makes identification during a forensic examination much easier, however, as Rakshasa malware uses iPXE firmware to download the bootkit from a remote location and loads it into RAM each time the computer boots it is far harder for a computer forensic expert to identify it as the file system is not altered.
The Rakshasa malware bootkit can be downloaded unwittingly by the user through an email attachment, such as a PDF and can also send the IP address of the victim machine to a predefined email address.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on email@example.com, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.