Kaspersky discovered a third case of a firmware bootkit, dubbed MoonBounce, hidden within computers’ essential part, the Unified Extensible Firmware Interface (UEFI) firmware, in the storage component external to the hard drive, called SPI flash.

It first appeared in the wild last 2021. MoonBounce demonstrates a sophisticated attack flow, with evident advancement compared to formerly reported UEFI firmware bootkits (LoJax and MosaicRegressor). Furthermore, the location of such implant is difficult to remove and hard to detect to security products. 

UEFI firmware is a critical component in most machines; its code is responsible for booting up the device and passing control to the software that loads the operating system. This code rests in SPI flash, non-volatile storage external to the hard disk. If this firmware contains malicious code, it will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete. This requires the extraneous process of reformatting a hard drive or reinstalling an OS. 

Moreover, because the code is located outside the hard drive, such bootkits’ activity goes virtually undetected by most security solutions unless they have a feature that explicitly scans this part of the device.

The exact infection vector remains unknown. However, it is assumed that the infection occurs through remote access to the targeted machine. In addition, while LoJax and MosaicRegressor utilized additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack.

Evidently, the attackers carried out a wide range of actions to make this happen. This includes archiving files and gathering network information. Additionally, commands used by attackers throughout their activity suggest they were interested in lateral movement and exfiltration of data. Finally, given that a UEFI implant was used, the attackers were likely interested in conducting ongoing espionage activity. 

Kaspersky attributes MoonBounce to APT41, a widely reported Chinese-speaking threat actor that’s conducted cyber espionage and cybercrime campaigns worldwide since at least 2012. It also suggests a possible connection between APT41 and other Chinese-speaking threat actors. 

To stay protected from UEFI bootkits like MoonBounce, Kaspersky recommends:

  • Provide your SOC team access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years. 
  • For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions like Kaspersky Endpoint Detection and Response
  • Use a robust endpoint security product that can detect the use of firmware, such as Kaspersky Endpoint Security for Business.
  • Regularly update your UEFI firmware and only use firmware from trusted vendors.
  • Enable Secure Boot by default, notably BootGuard and TPMs where applicable

For a more detailed analysis of MoonBounce, read the full report on Securelist. 


Please enter your comment!
Please enter your name here