Kaspersky researchers have discovered the third case of a firmware bootkit in the wild. Named MoonBounce, this malicious implant is hidden inside the Unified Extensible Firmware Interface (UEFI) firmware of the computer, a key part of the computer, in the SPI flash, a storage component located outside the hard drive. Such implants are known to be difficult to remove and have limited visibility for safety products. After first appearing in the wild in the spring of 2021, MoonBounce has shown a sophisticated course of attack, with evident progress compared to previously reported UEFI firmware bootkits. Kaspersky researchers have attributed the attack to the well-known advanced persistent threat (APT) actor APT41 with some certainty.
UEFI firmware is a key component in the vast majority of devices; its code is responsible for booting the device and transferring control to the software that loads the operating system. This code is located in the so-called SPI flash, a non-volatile storage located outside the hard drive. If this firmware contains malicious code, then that code will run before the operating system, which makes it especially difficult to delete malware implanted with the firmware bootkit; it cannot be removed by simply reformatting the hard disk or reinstalling the operating system. Moreover, since the code is located outside the hard drive, most security solutions are virtually unable to detect the activity of such bootkits unless they have a special function to scan this part of the device.
MoonBounce is only the third reported UEFI bootkit found in the wild. It appeared in the spring of 2021 and was first discovered by Kaspersky researchers when analyzing the activity of their Firmware Scanner solution, which has been included in Kaspersky products since early 2019 to detect threats hidden in ROM BIOS, including UEFI firmware images. Compared to the two previously discovered bootkits, LoJax and MosaicRegressor, MoonBounce shows significant progress with a more complicated flow of attacks and greater technical sophistication.
The implant is located in the CORE_DXE firmware component, which enters the scene early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant components enter the operating system, where they reach the command & control server to recover further malicious content, which we failed to recover. It is important to note that the chain of infection itself does not leave any traces on the hard drive, because its components work only in memory, which facilitates an attack without files with a small footprint.
While analyzing MoonBounce, Kaspersky researchers discovered several malicious loaders and post-exploitative malware on several nodes of the same network. These include ScrambleCross or Sidewalk, an in-memory implant that can communicate with a C2 server to exchange information and add plugins, Mimikat_ssp, a publicly available post-exploitation tool used to crack credentials and security secrets, a previously unknown backdoor based on Golang software language, and Microcin, a malware commonly used by the threat actor SixLittleMonkeys.
The exact vector of infection remains unknown, however, it is assumed that the infection occurs through remote access to the targeted device. In addition, while LoJax and MosaicRegressor used DXE driver add-ons, MoonBounce modifies an existing firmware component to achieve a more subtle and covert attack.
Throughout the campaign against the network in question, it was evident that the attackers carried out a wide range of actions, such as archiving files and collecting network information. The orders used by the attackers during their activity suggest that they were interested in lateral movement and data exfiltration, and given that a UEFI implant was used, it is likely that the attackers were interested in conducting constant espionage activities.
Kaspersky researchers have attributed MoonBounce to the APT41 actor with considerable certainty, who is widely reported to be a Chinese-speaking actor who has been conducting cyber espionage and cybercrime campaigns around the world since at least 2012. In addition, the existence of some of the above-mentioned malware in the same network suggests a possible link between APT41 and other Chinese-speaking threat actors.
So far, the firmware bootkit has been found in only one case. However, other related malicious patterns (e.g., ScrambleCross and its loaders) were found on the networks of several other victims.
„Although we can’t definitely connect additional implantsis malware found during our research with the MoonBounce actor, it seems as if some Chinese-speaking threat actors are sharing tools with each other to help with their various campaigns; in particular, there seems to be less certainty between MoonBounce and Microcin actors, ” adds Denis Legezo, chief security researcher on the GReAT team.
„Perhaps more importantly, this latest UEFI bootkit shows the same significant progress compared to the MosaicRegressor actor, which we reported on back in 2020. In fact, transforming a previously benign key component in the firmware into one that can facilitate the implementation of malware on the system is an innovation not seen in previous comparable firmware bootkits in the wild that makes the threat far more hidden. Back in 2018, we predicted that UEFI threats would gain in popularity, and it seems that this trend is materializing. We would not be surprised to find additional bootkits in 2022. Fortunately, vendors have begun to pay more attention to firmware attacks, and more and more firmware security technologies, such as BootGuard and Trusted Platform Modules, are gradually being adopted, ”he said. commented Mark Lechtik, Chief Security Researcher in Kaspersky’s Global Research and Analysis Team (GReAT).
Source: Personal magazin by www.personalmag.rs.
*The article has been translated based on the content of Personal magazin by www.personalmag.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!