The rootkit, named MoonBounce by Kaspersky, was described as the “most complex UEFI firmware implant identified in the wild to date with the goal of promoting the deployment of user-mode malware that stages execution of further payloads downloaded through the internet.”

The Chinese-speaking Winnti advanced persistent threat group has been linked to a previously undocumented firmware implant used to sustain covert persistence as part of a targeted espionage campaign (APT41).

In 2018, the first firmware-level rootkit, known as LoJax, was discovered in the wild. MosaicRegressor, FinFisher, and ESPecter are three different types of UEFI malware that have been discovered since then.

MoonBounce is dangerous for a variety of reasons. Unlike FinFisher and ESPecter, which target the EFI System Partition (ESP), the newly uncovered rootkit — like LoJax and MosaicRegressor — focuses on the SPI flash, a non-volatile storage device external to the hard disc.

An existing firmware component was tampered with to change its behaviour rather than adding a new driver to the image adds to its  capabilities. The goal was to divert the execution flow of the boot sequence to a malicious infection chain that injects user-mode malware during system startup and then contacts a hardcoded remote server to retrieve the next-stage payload.

According to the researchers, who also discovered other non-UEFI implants in the targeted network that communicated with the same infrastructure that hosted the staging payload. The infection chain leaves no traces on the hard drive because its components operate in memory only, allowing for a fileless attack with a small footprint.

A backdoor known as ScrambleCross (aka Crosswalk) and a number of post-exploitation malware implants were among the components installed across numerous nodes in the network, implying that the attackers used lateral movement after gaining initial access to exfiltrate data from specific workstations.

To defend against firmware-level alterations, it’s a good idea to keep the UEFI firmware up to date and enable security features like Boot Guard, Secure Boot, and Trust Platform Modules (TPM).

Finally the researchers concluded that ,”MoonBounce represents a distinct evolution in this group of threats by presenting a more complicated attack flow in comparison to its predecessors, as well as a higher level of technical competence by its authors, who demonstrate a thorough understanding of the finer details involved in the UEFI boot process.” 

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s