Identification of a third bootkit firmware called MoonBounce, more discreet, more persistent and more advanced, hidden in the UEFI firmware of computers

Kaspersky researchers have detected the third case of bootkit firmware. Baptized MoonBounce, this malicious implant is hidden in the firmware of the UEFI (Unified Extensible Firmware Interface), an essential element of computers, stored on an SPI Flash card outside the hard disk. The removal of this type of implant is particularly difficult and its identification by security solutions is limited.

MoonBounce first appeared in Spring 2021. Compared to previously reported UEFI firmware bootkits, its attack flow is considerably more sophisticated. According to Kaspersky researchers, all clues point to the involvement of APT41, a well-known APT (Advanced Persistent Threat) group.

UEFI firmware is an essential component of the vast majority of machines: its code boots the device before passing the relay to the software that loads the operating system. This code is in a non-volatile memory external to the hard disk, called Flash SPI. When malware is implanted by a bootkit firmware, it therefore launches before the operating system, and it becomes very difficult to get rid of it. Indeed, it is not enough to reformat the hard drive or reinstall the operating system. Moreover, since the code is isolated from the hard disk, the activity of these bootkits goes practically unnoticed, except when the security solutions are equipped with a specific analysis function.

MoonBounce is only the third identified UEFI bootkit. Appearing in the spring of 2021, it was discovered by Kaspersky researchers while examining the activity of their Firmware Scanner, included in Kaspersky products since early 2019 to specifically detect hidden threats in the ROM BIOS, including UEFI firmware images. MoonBounce is more advanced than the two previously identified bootkits, LoJax and MosaicRegressor, as it incorporates a more complex attack flow and greater technical sophistication.

The implant resides in the CORE_DXE component of the firmware, which is invoked at the start of the UEFI boot sequence. Then, via a series of function-intercepting hooks, the implant components make their way to the operating system, from where they access a command-and-control server to retrieve other malicious payloads, such as we could not extract. It should be noted that the infection chain itself leaves no traces on the hard disk, since its components operate only in memory, which facilitates a fileless attack with a small footprint.

By analyzing MoonBounce, Kaspersky researchers discovered malicious loaders and post-exploit malware on multiple nodes in the same network: ScrambleCross or Sidewalk, a memory implant that can communicate with a C2 server to exchange information and run additional plugins, Mimikat_ssp, an open-access post-exploit tool used for dumping credentials and security secrets, a new backdoor based on Golang and Microcin, malware commonly used by cybercriminal group SixLittleMonkeys.

The exact infection vector remains unknown, however, it is assumed that the infection occurs through remote access. Also, while LoJax and MosaicRegressor exploited the addition of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and unobtrusive attack.

In the overall campaign against the target network, the attackers have clearly increased their actions, such as archiving files and gathering information from the network. Overall, the commands employed by the hackers suggest that they were interested in lateral movement and data exfiltration. The use of a UEFI implant attests that espionage was probably part of their objectives.

Kaspersky researchers have hard evidence to attribute MoonBounce APT41, a Chinese-speaking hacker group that has carried out cyber espionage and cyber attack campaigns around the world since at least 2012. In addition, the coexistence of the aforementioned malware within the same network indicates a possible connection between APT41 and other Chinese-speaking actors.

So far, this bootkit firmware has only been detected once. However, other associated malware (such as ScrambleCross and its loaders) has been identified on the networks of several other victims.

We can’t say with certainty whether MoonBounce is related to other malware implants detected during our analysis, but it appears that some Chinese-speaking hacker groups are sharing tools in various campaigns; subject to all reservations, MoonBounce could in particular be linked to Microcin , ajoute Denis Legezo, senior security researcher au sein de la Global Research and Analysis Team de Kaspersky (GReAT).

More importantly, this latest UEFI bootkit is a big step up from MosaicRegressor, which we reported on in 2020. malware on the system. This is an innovation over previous comparable firmware bootkits. We predicted in 2018 that UEFI threats would become more common, and that trend seems to be happening. It wouldn’t be surprising to detect additional bootkits in 2022. Fortunately, vendors have started to pay more attention to firmware-targeted attacks, and security technologies like BootGuard and Trusted Platform Modules are gradually being adopted. , souligne Mark Lechtik, senior security researcher , GReAT, Kaspersky.

In order to protect yourself from UEFI bootkits like MoonBounce, Kaspersky recommends applying the following measures:

  • Provide your SOC team with access to the latest threat data.
  • For rapid endpoint incident detection, investigation, and remediation, implement EDR solutions
  • Use a robust endpoint protection solution that can detect firmware usage
  • Update your UEFI firmware regularly and only use firmware from trusted vendors.
  • Enable Secure Boot by default, especially BootGuard and TPM when possible.

About Kaspersky

Kaspersky is an international cybersecurity and digital privacy protection company founded in 1997. Kaspersky’s expertise in Threat Intelligence and computer security constantly enriches the creation of security solutions and services to protect businesses, critical infrastructures , public authorities and individuals around the world.

Source : Kaspersky

And you ?

What do you think ?

See as well :

Compromised Financial Systems, Multiplication of Infostealers and Attacks Targeting Cryptocurrencies: Overview of Financial Threats in 2022, by Kaspersky

Kaspersky investigators may have identified the Texas-based SolarWinds hackers as Russian hacking group Turla

Kaspersky has discovered Owowa, a Microsoft Exchange extension that steals credentials entered during an Outlook Web Access connection, and is resistant to software updates

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.