A proof-of-concept technique for both storing and executing malware on a graphics card has recently been sold on a hacker forum. In the forum listing, the seller explains how this technique avoids the RAM scanning performed by antivirus software, keeping the malicious code safe from detection. The malware runs using the GPU and the code is stored in VRAM.
The technique is confirmed to only work on Windows machines, but it’s compatible with a wide selection of GPUs and graphics cards. The seller tested the technique on Intel’s UHD 620 and 630 GPUs, AMD’s Radeon RX 5700, and Nvidia’s GeForce GT 740 and GTX 1650, so it’s presumed the same technique will work on other AMD and Nvidia cards/GPUs. Research team vx-underground also rather than a CPU.
The concept of GPU-based malware isn’t new. A JellyFish GPU rootkit PoC was published in 2015. A GPU keylogger and trojan were also publicly shared by the JellyFish researchers, so the threat is a known one. However, the seller of this new PoC claims there is no association with JellyFish and that this is a new method of infiltration.
It’s not known who purchased this latest PoC malware, but vx-underground plans to demonstrate the technique used “soon.” Security researchers and vendors will no doubt be very keen to see it in action before quickly working on mitigation solutions to add to their consumer and business products. As ever with new security attack vectors, it’s always a case of when rather than if they will be used.