Hackers Sold Malicious Code Hidden Inside GPU VRAM

Bleeping Computer, a renowned news site for all things tech, warned on August 31 about the online sale of a proof-of-concept (PoC) for a tool that allows the exploitation of graphic cards through malicious code inside their VRAM. This enables the malware to pass undetected by antivirus scanners that typically scan only the PC’s RAM and disk storage. 

The evolution of graphic cards created hardware that is a miniature ecosystem in itself. Modern graphic cards contain thousands of cores intended to help with video acceleration and a few that manage the entire system. They also come with a memory buffer, also known as VRAM, to help users load game textures quicker. 

This memory buffer is rarely scanned by antiviruses, proving to be an excellent spot to hide malicious code. The details about this particular toolkit are murky, and it is still unknown how the code sold on August 25 works. In a post published on August 8, the toolkit was described as “an exploit that allocates address space in the VRAM and inserts and executes code from there.” 

Allegedly, the code has been tested and works with Intel’s UHD 620/630 integrated graphics, AMD’s Radeon RX 5700 and Nvidia’s GeForce GTX 740M and GTX 1650 graphics cards. Luckily, it doesn’t seem to affect popular choices, such as RTX 2080 graphic cards or the RTX 2060, though that may just be because the hacker hadn’t yet tested these cards.  Vx-underground, a research group, tweeted that it will demonstrate this technique soon, answering many questions that users might have.

It is not the first time GPUs have been tested in such a manner. Researchers have proven and published a Jellyfish attack that exploits OpenCL and forces the execution of malicious code from the user’s GPU. too

These exploits could be opening Pandora’s box of malicious code-placing opportunities. It will undoubtedly be interesting to see the further development of this situation, but more importantly, antiviruses that pick up on this and include VRAM scanning in their new updates.