Cybersecurity researchers at Kaspersky have uncovered the third case of a firmware bootkit in the wild which they have dubbed MoonBounce.
MoonBounce, which first appeared in the wild in the northern Spring of 2021, demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported Unified Extensible Firmware Interface (UEFI) firmware bootkits, LoJax and MosaicRegressor.
“The implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command & control server in order to retrieve further malicious payloads, which we were unable to retrieve. It’s worth noting that the infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint,” the researchers said.
They noted that the malicious implant is notoriously difficult to remove and are of limited visibility to security products because “it is hidden within a computer’s UEFI firmware, an essential part of computers, in the SPI flash, a storage component external to the hard drive”
Kaspersky has attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that’s conducted cyberespionage and cybercrime campaigns around the world since at least 2012. It said that the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors.
“While we can’t definitely connect the additional malware implants found during our investigation with MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one other to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” said Denis Legezo, a senior security researcher with GReAT said (Kaspersky’s Global Research and Analysis Team).
The researchers said the firmware bootkit has only been found on a single machine for a holding company in the high-tech market.