Chinese Hackers are Using a new UEFI Firmware Called MoonBounce
Table of Contents
- By David Lukic
- Published: Jan 21, 2022
- Last Updated: Mar 18, 2022
Hackers based in China are implementing a new targeted digital attack using UEFI firmware implants. The attack stems from the Wintti advanced persistent threat group known as APT41. The group used an undocumented firmware implant transmitted to covertly implement targeted espionage. The antivirus specialists at Kaspersky have given the rootkit the codename of MoonBounce.
Why is MoonBounce a Problem?
Digital security experts insist MoonBounce is a hyper-advanced form of UEFI firmware. In fact, Kaspersky antivirus gurus insist this implant is the most advanced in the history of digital security. The objective of the harmful implant is to expedite the transmission of user-mode malware that executes additional payloads downloaded from the web.
Firmware-based rootkits were once quite rare in the context of digital threats. However, these rootkits are now quickly becoming valuable tools in the quest to infiltrate target systems in a manner that is difficult to detect and eliminate. The initial rootkit at the firmware level, referred to as LoJax, was initially named LoJax. LoJax was first identified in 2018. In the meantime, three UEFI malware instances have been identified including ESPecter, FinFinisher, and MosaicRegressor.
MoonBounce has digital security professionals concerned as it targets ESP, short for EFI System partition. The recently identified rootkit along with MosaicRegressor and LoJax also zero in on SPI flash, a storage component outside of computer hard drives. Bootkit malware is implemented through the SPI flash storage connected to the machine’s motherboard, essentially making it bulletproof. Even if the operating system were fully reinstalled and the hard drive replaced, the problem would remain.
The firmware rootkit is made more clandestine as another firmware component is used to change its behavior. This approach is unique as it does not require the addition of a driver to the image. The aim is to alter the boot sequence execution flow to a harmful infection chain that transmits user-mode malware when the system launches. The malware then connects to the hardcoded remote server to obtain the subsequent payload.
When was the Attack Identified?
Kaspersky’s cybersecurity specialists indicate they identified the firmware rootkit in merely one attack during 2021, meaning it is narrowly targeted. Kaspersky representatives have also stated they are unsure as to what type of mechanism the UEFI firmware uses to transmits infection.
Can MoonBounce be Stopped?
This digital attack will likely be defeated at some point down the line, yet it might continue to cause problems in the months ahead. The components of the infection chain function within memory so no traces are transmitted to the hard drive. The result is an attack performed without a file, leaving little evidence behind.
Add, the fact that the attack also uses non-UEFI implants within the target network that interacts with the infrastructure containing the initial payload, thwarting the attack becomes all the more challenging.
The best line of digital defense against MoonBounce is the implementation of ongoing updates to the UEFI firmware to implement a series of protections. Examples of such protections include Trust Platform Modules, commonly referred to with the acronym of TPM, Secure Boot, and Boot Guard.
