Criminals in cyberspace have created a malware program that can be hidden in GPU memory and make it invisible to antivirus applications.
Hackers Could Store Malware Within Your GPU Memory, Undetectable By Antivirus
The technique utilizes GPU memory allocation space and executes the malicious code into the computer. The OpenCL 2.0 API technology used on the Windows OS is the only targeted operating system, with no other OS mentioned in the attacks.
So far, hackers have been able to store malicious code on various GPUs from Intel (UHD 620/630), AMD (Radeon RX 5700), and NVIDIA (GeForce GTX 1650 / GeForce GT 740M). This could very well affect all modern GPUs and not just older generation parts.
In 2015, a research group conceptualized a keylogger inside of a GPU that could activate remote access trojans into Windows operating systems. However, this new technique is stated to be a newer concept and not derivative of the 2015 creation.
Under normal conditions, executing code on the GPU requires a controlling process running on the host. The host process adds a task on the command queue, which will be eventually fetched and executed by the GPU. However, GPUs have a non-preemptive nature: once the execution of a task is initiated, the GPU is locked with the execution of that task and no one else can use the GPU in the meanwhile. This is particularly problematic when the GPU is used both for rendering and computation, as this could generate undesired effects such as an unresponsive user interface.
As a consequence, in order to ensure a proper behavior, the graphic driver usually enforces a timeout to kill long lasting kernels. For GPU malware this could represent an important limitation because the malicious kernel needs to be sent over and over in a loop, making it more easy to detect in system memory.
The first anti-forensic technique consists in disabling the existing timeout to take full control of the GPU. For instance, in Vasiliadis et al. (2014) the authors disabled the GPU hangcheck to lock the GPUs indefinitely.
— Science Direct website
Recently an unknown individual sold a malware technique to a group of Threat Actors.
This malcode allowed binaries to be executed by the GPU, and in GPU memory address space, rather the CPUs.
We will demonstrate this technique soon.
— vx-underground (@vxunderground) August 29, 2021
Representatives of the forum vx-underground are in the process of creating a demonstration of the malware attack on Windows operating systems in the next few weeks. The research group states that the GPU will execute malware binaries from within the graphic card's memory allocated spaces.