MoonBounce, a rampaging firmware declared “more elusive” because its malicious implant can hide within essential parts of computers, Kaspersky, a cybersecurity firm, has alerted users.
Kaspersky says its researchers have uncovered the third case the firmware bootkit in the wild that is able to hide within a computer’s Unified Extensible Firmware MoonBounce, the cybersecurity firm says is “more elusive and more persistent” and third known firmware bootkit “shows major advancement.”
“MoonBounce demonstrates a sophisticated attack flow, with evident advancement in comparison to formerly reported UEFI firmware bootkits. The campaign has been attributed with considerable confidence to the well-known advanced persistent threat (APT) actor APT41”, according to the tech firm.
Inside MoonBounce, The Elusive Firmware Difficult To Delete
“UEFI firmware is a critical component in the vast majority of machines” according to the Kaspersky alert which says that “its code is responsible for booting up the device and passing control to the software that loads the operating system.
“This code rests in what’s called SPI flash, a non-volatile storage external to the hard disk. If this firmware contains malicious code, then this code will be launched before the operating system, making malware implanted by a firmware bootkit especially difficult to delete; it can’t be removed simply by reformatting a hard drive or reinstalling an OS. What’s more, because the code is located outside of the hard drive, such bootkits’ activity go virtually undetected by most security solutions unless they have a feature that specifically scans this part of the device”, the tech security firm says.
Accordingly “the implant rests in the CORE_DXE component of the firmware, which is called upon early during the UEFI boot sequence. Then, through a series of hooks that intercept certain functions, the implant’s components make their way into the operating system, where they reach out to a command & control server in order to retrieve further malicious payloads, which we were unable to retrieve. It’s worth noting that the infection chain itself does not leave any traces on the hard drive, as its components operate in memory only, thus facilitating a fileless attack with a small footprint.
“While we can’t definitely connect the additional malware implants found during our investigation with MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one other to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” adds Denis Legezo, senior security researcher with GReAT says.
Kaspersky says it “has attributed MoonBounce with considerable confidence to APT41, which has been widely reported to be a Chinese-speaking threat actor that’s conducted cyberespionage and cybercrime campaigns around the world since at least 2012. In addition, the existence of some of the aforementioned malware in the same network suggests a possible connection between APT41 and other Chinese-speaking threat actors.”
While investigating MoonBounce, Kaspersky says its researchers uncovered several malicious loaders and post-exploitation malware across several nodes of the same network.
“This includes ScrambleCross or Sidewalk, an in-memory implant that can communicate to a C2 server to exchange information and execute additional plugins, Mimikat_ssp, a publicly available post-exploitation tool used to dump credentials and security secrets, a formerly unknown Golang based backdoor, and Microcin, malware that is typically used by the SixLittleMonkeys threat actor.
“It could be that MoonBounce downloads these pieces of malware or that previous infection by one of these pieces of malware serves as way of compromising the machine so that MoonBounce can gain a foothold in the network. Another possible infection method for MoonBounce would be if the machine was compromised before it was supplied to the target company. In either case, it is assessed that the infection occurs through remote access to the targeted machine. In addition, while LoJax and MosaicRegressor utilised additions of DXE drivers, MoonBounce modifies an existing firmware component for a more subtle and stealthier attack”, according to Kaspersky.
In order to stay protected from UEFI bootkits like MoonBounce, Kaspersky recommends:
· Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
· For endpoint level detection, investigation, and timely remediation of incidents implement EDR solutions;
· Use a robust endpoint security product that can detect the use of firmware, such as Kaspersky Endpoint Security for Business.
· Regularly update your UEFI firmware and only use firmware from trusted vendors.
· Enable Secure Boot by default, notably BootGuard and TPMs where applicable