Third Firmware Bootkit Discovered

Cybersecurity scientists at Kaspersky have found a third identified scenario of a firmware bootkit in the wild.

The kit, which created its initial visual appeal in the wild in the spring of 2021, has been named MoonBounce. Researchers are confident that the campaign is the function of nicely-known Chinese-talking innovative persistent threat (APT) actor APT41.

MoonBounce demonstrates a more complicated attack move and bigger complex sophistication than earlier discovered bootkits LoJax and MosaicRegressor.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The malicious implant was observed hiding inside the Main_DXE part of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical due to the fact its code is dependable for booting up a system and passing management to the program that masses the running process (OS). 

After MoonBounce’s factors have built their way into the running technique, they arrive at out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve.

The code to boot the device is saved in a non-unstable component exterior to the tough push identified as the Serial Peripheral Interface (SPI) flash. 

Scientists mentioned that Bootkits of this form are exceptionally really hard to detect for the reason that the code they concentrate on is positioned exterior of the device’s tricky push in an location that most security remedies do not scan as typical. 

Firmware bootkits are also hard to delete. They cannot be eradicated just by reformatting a really hard drive or reinstalling an OS because the code is launched ahead of the operating technique.

“The an infection chain by itself does not leave any traces on the tricky push, because its elements work in memory only, therefore facilitating a fileless attack with a little footprint,” famous researchers. 

Though investigating MoonBounce, scientists appeared to detect a website link between the bootkit and Microcin malware utilised by the SixLittleMonkeys danger actor.

“While we cannot definitely hook up the extra malware implants identified during our exploration to MoonBounce especially, it does look as if some Chinese-talking danger actors are sharing equipment with a single another to aid in their different strategies there specially appears to be to be a very low self-confidence link involving MoonBounce and Microcin,” explained Denis Legezo, senior security researcher with Fantastic (Kaspersky’s Worldwide Analysis and Analysis Group).