14 DAY TRIAL // A new breed of malware is looming, as a group of developers created code for threats that run on the graphics card unit (GPU) rather than the central processing unit (CPU), bestowing them with the necessary stealth in face of the current detection tools.
The developers are collectively known as Jellyfish and built a rootkit and a keylogger for Linux systems, and a remote access tool (RAT) for Windows.
Devs may prepare detection tool for GPU malware
GPU units lock more computing power than CPUs and are often used by programs for more demanding operations to spare the resources of the latter.
From a threat actor’s perspective, the advantages of GPU-based malware go beyond this because information persists after computer reboots and there is direct communication with the processes in the host’s memory via the DMA (direct memory access) feature.
The developers added that, at the moment, there is no tool available for analyzing malware that runs on GPUs, although this is about to change as the team seems to be working on JellyScan, a tool that would allow detection of GPU-based malware.
PoCs for GPU-based rootkit, keylogger and RAT released
The rootkit is called Jellyfish, it uses the OpenCL API (application programming interface) developed by the Khronos group and works on graphics cards from AMD and NVIDIA. However, there is support for Intel cards through the APP SDK (software development kit) from AMD, designed for accelerating computation tasks of software programs.
The project for the GPU-based RAT for Windows (importless portable executable) was published over the weekend and at the moment it is a PoC intended for systems running with NVIDIA cards with CUDA graphics acceleration.
The description for the Linux keylogger, dubbed Demon, does not offer technical details, but it informs that the endeavor is based on earlier efforts that have been detailed in a research paper in 2013 called “You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger.”
All code from Jellyfish developers is meant for educational purposes. “Our goal was to make everyone AWARE that gpu based malware IS REAL,” they say on the project pages. Also, the products have the maturity of a beta program, with bugs still to be ironed out and features to be added.