Malware Author Created a Tool to Hide Malware in AMD, NVIDIA GPUs

Cybercriminals are starting to use malware that can execute code from a compromised system’s graphics processing unit (GPU).

The Proof-of-Concept (PoC) for the method was sold on a hacker forum earlier this month, which suggests that we may soon see it used in the wild.

The seller advertised a proof-of-concept that would allow malicious code to evade detection by security solutions scanning RAM. The seller only said their method uses the GPU memory buffer to store malicious code and execute it.

The project only works on Windows systems that have version 2.0 and later of the OpenCL framework for executing code on GPUs. The code was tested on various graphics cards, including Intel (UHD 620/630), Radeon (RX 5700), and GeForce (GTX 740M(?), GTX 1650).

On August 25, the seller suddenly announced that they had sold the PoC. The terms of the transaction were not disclosed.

The method is not new, as the groundwork for this attack method has been set about eight years ago. But projects that rely on it have been done only in the academic world or were incomplete.

One GPU-based malware called JellyFish was a PoC developed by researchers for a Linux-based GPU rootkit. Then, recently, researchers at VX-Underground threat repository said that they have a malicious code that can execute binary code by the GPU in its memory space. They promised to post a demonstration of the technique in the near future.

The researchers who created the JellyFish rootkit also released PoCs for a Windows keylogger and a remote access trojan that work in the GPU.

The seller denied the association with JellyFish and claimed that their method is different and that their method does not rely on code mapping back to userspace.

In 2013, researchers from Columbia University and the Institute of Computer Science in Greece showed that GPUs can host operations and data of a keylogger [PDF].

Previously, the researchers showed that by carrying out complex encryption schemes, malware authors can take advantage of GPU’s computational power to perform encryption much faster than the CPU.